[Bro] Tables and Strings

anthony kasza anthony.kasza at gmail.com
Wed May 28 11:28:08 PDT 2014


Tables also have nice key/value expire functionality that can help curb
their size.

-AK
On May 28, 2014 11:22 AM, "Josh Liburdi" <liburdi.joshua at gmail.com> wrote:

> Brian,
>
> Taking a guess, your difficulty might be stemming from trying to use a
> table type when instead you may want to use a set type. In the Bro
> language, a table always has an index and yield, but a set is just a list
> ... if you only want a list of sites users are visiting (no indexes or
> yields, only a list), then the set type is what you should use. Here's a
> simple example (hopefully the script formatting comes through correctly):
>
> global websites: set[string];
>
> event http_header(c: connection, is_orig: bool, name: string, value:
> string)
> {
> if ( name == "HOST" )
>    if ( value !in websites )
>     add websites[value];
> }
>
> event bro_done()
> {
> print websites;
> }
>
> Keep in mind that in production, the websites set is likely to grow
> enormously and could cause memory issues. For local testing with pcap, the
> above script will print the seen host values to stdout when Bro finishes.
> Alternatively, if you want a table of the originating hosts by the websites
> they connected to ...
>
> global websites: table[string] of set[addr];
>
> event http_header(c: connection, is_orig: bool, name: string, value:
> string)
> {
> if ( name == "HOST" )
>   {
>   if ( value !in websites )
>     websites[value] = set();
>   if ( value in websites )
>     {
>     add websites[value][c$id$orig_h];
>     print "found a new website! "+ value;
>     # ^^^ could raise notice here instead
>     }
>   }
> }
>
> event bro_done()
> {
> print websites;
> }
>
> Same caveat as before regarding the size of the table and running in
> production, but the above table contains indexes of websites with yields
> that are sets of the originating hosts who connected to those sites; the
> table is printed to stdout when Bro finishes. If you want to take this to
> production, you'd likely be better off writing the websites set/table to a
> file and re-reading it with the input framework ... I haven't had a need to
> explore doing that yet, so I don't have much experience there.
>
> - Josh
>
>
> On Wed, May 28, 2014 at 10:03 AM, Brian Chilton <chilton.brian at yahoo.com>wrote:
>
>> all,
>>
>> I will apologize up front for my lack of knowledge in this subject but
>> after 3 weekends of 8 to 12 hours searching I have officially hit the end
>> of the road so I am reaching out to the community hoping you all might have
>> some answers.  What I'm trying to do is simple in context I just don't know
>> the language good enough to do it here is the logic.
>>
>> if (http connection established and method is post)
>> check to see have we visited this site before (compare against master
>> list (or table))
>> if visited this site before
>> ------ignore connection
>> if site is newly visited
>> ------add site to list or table, and alert
>>
>> really simple in logic but for the life of me I cannot figure out how to
>> add to a list or table after comparing to that table.   Hopefully I
>> explained this well enough, but if I didn't please let me know and I will
>> try my best to explain it better.
>>
>>
>> thanks,
>>
>> Brian,
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140528/aab7ec76/attachment.html 


More information about the Bro mailing list