[Bro] Clarification needed

PeLo phrackmod at gmail.com
Fri Sep 19 12:43:28 PDT 2014 

Thanks for the links. Below is a sample code. Error messages are also
included in comments.

event bro_init() {
 ### This Works fine
local amazon_ips = amazon.com;
for (i in amazon_ips) print(i);
 ### Error occurs here
### Error Output
### ============
### error : type clash (addr and {74.125.236.213,2404:6800:4007:803::1015})
### error : type mismatch ({74.125.236.213,2404:6800:4007:803::1015} and
addr)
 local google_ips: set[addr] = { mail.google.com, maps.google.com,
youtube.com };
for (i in google_ips) print(i);
  ### No errors and output here
### Anything wrong with the code???

local ip_list: set[addr];
local domain_list: set[string] = { "google.com", "bro.org" };
 for (domain in domain_list){
when( local temp = lookup_hostname(domain) ){
for (ip in temp)
add ip_list[ip];
}
}
for (i in ip_list) print(i);
}

On Sat, Sep 20, 2014 at 12:31 AM, Seth Hall <seth at icir.org> wrote:

>
> On Sep 19, 2014, at 1:29 PM, PeLo <phrackmod at gmail.com> wrote:
>
> > The problem is that bro automatically tries to perform dns lookup on any
> domain names provided.
>
> I don't tend to use that feature of Bro because I never have a problem
> that fits it quite right.
>
> > Using a single domain name works well (global restricted_domains =
> abc.com) but when i try to assign a group of domains at a time (global
> restriced_domains = { abc.com, 123.net }; or global restricted_domains:
> set[addr] and using add statement), I get an error which states "Type
> Clash". I would like to know if there is a way to create a set of hostnames
> so that I can work on them later.
>
> I would have to see your code to know exactly what was failing.
>
> > Since domain names are essentially strings, I think it would be nice to
> have an explicit conversion function to convert from strings to domain
> names. If there was one, the above problem would have been solved easily.
>
>
> https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-lookup_hostname
>
> https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-lookup_hostname_txt
> https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-lookup_addr
>
> You can see an example using one of these scripts here:
>
> https://github.com/bro/bro/blob/master/scripts/policy/protocols/ssh/interesting-hostnames.bro#L34
>
> (you have to use them in when statements)
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140920/9c21a5f8/attachment.html

More information about the Bro mailing list