[Bro] Bro Types Not Following Bro Types Documention
John Omernik
john at omernik.com
Sat May 16 13:57:03 PDT 2015
I am working doing some automation with Bro, Avro, Kafka and I am a little
bit frustrated. (Or I am looking at the wrong documentation, hence my post
here, I am very good with being extremely wrong because I am looking at
something wrong).
Specifically I am looking at the default conn.log. The Type that is
specified for some fields such as
orig_bytes or resp_bytes is type count
Based on the docs I am using here:
https://www.bro.org/sphinx/script-reference/builtins.html
a count is:
count
A numeric type representing a 64-bit unsigned integer. A count constant is
a string of digits, e.g.1234 or 0. A count can also be written in
hexadecimal notation (in which case “0x” must precede the hex digits), e.g.
0xff or 0xABC123.
The count type supports the same operators as the int
<https://www.bro.org/sphinx/script-reference/builtins.html#type-int> type.
A unary plus or minus applied to acount results in an int.
This is well and good, however looking at some of the data in my log I see
the character "-" as a value. Based on my reading of a count, that
shouldn't exist, a - is not a unsigned integer, nor is it a string of
digits whether in base 10 or hexidecimal.
Thus my frustration, I'd like to develop some generic bindings to push bro
logs into Avro Serialized Kafka messages, but looking at this, I can't even
trust the documentation to be accurate? Am I missing something? Is there
another documentation reference that more fully represents the data types
that would explain why - is a valid integer?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150516/e863196a/attachment.html
More information about the Bro
mailing list