[Bro] Clarification needed

[Siwek, Jon]

On Sep 19, 2014, at 12:29 PM, PeLo <phrackmod at gmail.com> wrote:

> The problem is that bro automatically tries to perform dns lookup on any domain names provided. Using a single domain name works well (global restricted_domains = abc.com) but when i try to assign a group of domains at a time (global restriced_domains = { abc.com, 123.net }; or global restricted_domains: set[addr] and using add statement), I get an error which states "Type Clash". I would like to know if there is a way to create a set of hostnames so that I can work on them later. 

If you’re purely using unquoted domain names, you can think of that as being automatically converted in to a set[addr] at parse-time.  E.g.

global mydomains: set[addr] = { bro.org, google.com };
for ( i in example.com ) add mydomains[i];
print my domains;

Note, the loop over example.com is because it’s technically a set[addr] and you can only add a single element to the mydomains set at a time (at least I can’t recall an easier way to merge two sets).

> Since domain names are essentially strings, I think it would be nice to have an explicit conversion function to convert from strings to domain names. If there was one, the above problem would have been solved easily.

There’s not really a distinct type for domain names — if the parser sees a string of characters that looks like a domain name and it’s not in quotes, Bro will resolve those in to a set[addr] as part of the initialization process.  For run-time resolution of domain names, storing the domain name as a string data type (e.g. by putting quotes around it) and then passing that as an argument to the “lookup_hostname” function may be what you want.

- Jon