[Bro] Bro Types Not Following Bro Types Documention

Mike Dopheide dopheide at gmail.com
Sat May 16 14:44:48 PDT 2015


John,

The "-" you're seeing in this case isn't meant to be representing a count.
The "-" is used in Bro logs to represent a field with missing data.  For
whatever reason Bro couldn't the bytes sent in this case.  You'll see -'s
more commonly in other logs, like http.log, ssl.log, etc.

-Dop



On Sat, May 16, 2015 at 3:57 PM, John Omernik <john at omernik.com> wrote:

> I am working doing some automation with Bro, Avro, Kafka and I am a little
> bit frustrated. (Or I am looking at the wrong documentation, hence my post
> here, I am very good with being extremely wrong because I am looking at
> something wrong).
>
> Specifically I am looking at the default conn.log. The Type that is
> specified for some fields such as
> orig_bytes or resp_bytes is type count
>
> Based on the docs I am using here:
>
> https://www.bro.org/sphinx/script-reference/builtins.html
>
> a count is:
>
> count
>
> A numeric type representing a 64-bit unsigned integer. A count constant
> is a string of digits, e.g.1234 or 0. A count can also be written in
> hexadecimal notation (in which case “0x” must precede the hex digits), e.g.
> 0xff or 0xABC123.
>
> The count type supports the same operators as the int
> <https://www.bro.org/sphinx/script-reference/builtins.html#type-int> type.
> A unary plus or minus applied to acount results in an int.
>
>
> This is well and good, however looking at some of the data in my log I see
> the character "-" as a value.  Based on my reading of a count, that
> shouldn't exist, a - is not a unsigned integer, nor is it a string of
> digits whether in base 10 or hexidecimal.
>
>
> Thus my frustration, I'd like to develop some generic bindings to push bro
> logs into Avro Serialized Kafka messages, but looking at this, I can't even
> trust the documentation to be accurate? Am I missing something? Is there
> another documentation reference that more fully represents the data types
> that would explain why - is a valid integer?
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150516/5d3658cd/attachment.html 


More information about the Bro mailing list