[Bro] trying to read space separate file to bro

Daniel Thayer dnthayer at illinois.edu
Tue Jan 19 13:27:35 PST 2016 

Good point, Seth.  Here is an example of how to use the $config field:

Input::add_event([$source="./aaa.txt", $name="test", $fields=Val,
                   $ev=TEST, $want_record=F,
                   $config=table(["separator"]=" ")]);



On 01/19/2016 02:54 PM, Seth Hall wrote:
> You need to be careful with this setting too.  It's easy to mess up other activities (like intelligence import) if you do a setting like this globally.  There is a $config field in the input description where you should be able to specify that field too.
>
>   .Seth
>
>
>
>> On Jan 19, 2016, at 11:53 AM, Daniel Thayer <dnthayer at illinois.edu> wrote:
>>
>> In your script, you need to change one line to use this:
>>
>> redef InputAscii::separator = " ";
>>
>>
>>
>> On 01/19/2016 01:48 AM, 김희철 wrote:
>>> Hi
>>> I am trying to read file which has space separate
>>>
>>> I add redef separator = " " ; but it's gave me some errors
>>>
>>> error: ./aaa.txt/Input::READER_ASCII: Did not find requested field sip
>>> in input data file ./aaa.txt.
>>>
>>> error: ./aaa.txt/Input::READER_ASCII: Init: cannot open ./aaa.txt;
>>> headers are incorrect
>>>
>>> error: ./aaa.txt/Input::READER_ASCII: Init failed
>>>
>>>
>>> if aaa.txt is tsv file and with out redef separator, it works fine
>>>
>>> Is there a way to read a file which is not tsv
>>>
>>>
>>> here is my sample aaa.txt and bro script
>>>
>>> aaa.txt
>>>
>>> #fields sip sport dip dport
>>>
>>> 192.168.1.116 61711 172.16.100.132 22
>>>
>>>
>>>
>>> bro script
>>>
>>> export {
>>>
>>>     type Val: record {
>>>
>>>         sip: addr;
>>>
>>>         sport: port;
>>>
>>>         dip: addr;
>>>
>>>         dport: port;
>>>
>>>     };
>>>
>>>     redef Input::separator = " ";
>>>
>>> }
>>>
>>>
>>> event TEST(description: Input::EventDescription, tpe: Input::Event, sip:
>>> addr, sport: port, dip: addr, dport: port){
>>>
>>>     print fmt("%s %d %s %d",sip,sport,dip,dport);
>>>
>>> }
>>>
>>>
>>> event bro_init()
>>>
>>> {
>>>
>>>     print fmt("test");
>>>
>>>     Input::add_event([$source="./aaa.txt", $name="test", $fields=Val,
>>>     $ev=TEST ,$want_record=F]);
>>>
>>> }
>>>
>>>
>>> --
>>> ------------------------------------------------------
>>> Hichul Kim 김희철 선임 연구원
>>>
>>> Naru Security  (주)나루씨큐리티
>>>
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>

More information about the Bro mailing list