[Bro] trying to read space separate file to bro

Seth Hall seth at icir.org
Tue Jan 19 12:54:50 PST 2016 

You need to be careful with this setting too.  It's easy to mess up other activities (like intelligence import) if you do a setting like this globally.  There is a $config field in the input description where you should be able to specify that field too.

 .Seth



> On Jan 19, 2016, at 11:53 AM, Daniel Thayer <dnthayer at illinois.edu> wrote:
> 
> In your script, you need to change one line to use this:
> 
> redef InputAscii::separator = " ";
> 
> 
> 
> On 01/19/2016 01:48 AM, 김희철 wrote:
>> Hi
>> I am trying to read file which has space separate
>> 
>> I add redef separator = " " ; but it's gave me some errors
>> 
>> error: ./aaa.txt/Input::READER_ASCII: Did not find requested field sip
>> in input data file ./aaa.txt.
>> 
>> error: ./aaa.txt/Input::READER_ASCII: Init: cannot open ./aaa.txt;
>> headers are incorrect
>> 
>> error: ./aaa.txt/Input::READER_ASCII: Init failed
>> 
>> 
>> if aaa.txt is tsv file and with out redef separator, it works fine
>> 
>> Is there a way to read a file which is not tsv
>> 
>> 
>> here is my sample aaa.txt and bro script
>> 
>> aaa.txt
>> 
>> #fields sip sport dip dport
>> 
>> 192.168.1.116 61711 172.16.100.132 22
>> 
>> 
>> 
>> bro script
>> 
>> export {
>> 
>>    type Val: record {
>> 
>>        sip: addr;
>> 
>>        sport: port;
>> 
>>        dip: addr;
>> 
>>        dport: port;
>> 
>>    };
>> 
>>    redef Input::separator = " ";
>> 
>> }
>> 
>> 
>> event TEST(description: Input::EventDescription, tpe: Input::Event, sip:
>> addr, sport: port, dip: addr, dport: port){
>> 
>>    print fmt("%s %d %s %d",sip,sport,dip,dport);
>> 
>> }
>> 
>> 
>> event bro_init()
>> 
>> {
>> 
>>    print fmt("test");
>> 
>>    Input::add_event([$source="./aaa.txt", $name="test", $fields=Val,
>>    $ev=TEST ,$want_record=F]);
>> 
>> }
>> 
>> 
>> --
>> ------------------------------------------------------
>> Hichul Kim 김희철 선임 연구원
>> 
>> Naru Security  (주)나루씨큐리티
>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list