[Bro] trying to read space separate file to bro
김희철
hckim at narusec.com
Tue Jan 19 16:40:05 PST 2016
It works perfectly
thank you very much
On Wed, Jan 20, 2016 at 6:27 AM, Daniel Thayer <dnthayer at illinois.edu>
wrote:
> Good point, Seth. Here is an example of how to use the $config field:
>
> Input::add_event([$source="./aaa.txt", $name="test", $fields=Val,
> $ev=TEST, $want_record=F,
> $config=table(["separator"]=" ")]);
>
>
>
>
> On 01/19/2016 02:54 PM, Seth Hall wrote:
>
>> You need to be careful with this setting too. It's easy to mess up other
>> activities (like intelligence import) if you do a setting like this
>> globally. There is a $config field in the input description where you
>> should be able to specify that field too.
>>
>> .Seth
>>
>>
>>
>> On Jan 19, 2016, at 11:53 AM, Daniel Thayer <dnthayer at illinois.edu>
>>> wrote:
>>>
>>> In your script, you need to change one line to use this:
>>>
>>> redef InputAscii::separator = " ";
>>>
>>>
>>>
>>> On 01/19/2016 01:48 AM, 김희철 wrote:
>>>
>>>> Hi
>>>> I am trying to read file which has space separate
>>>>
>>>> I add redef separator = " " ; but it's gave me some errors
>>>>
>>>> error: ./aaa.txt/Input::READER_ASCII: Did not find requested field sip
>>>> in input data file ./aaa.txt.
>>>>
>>>> error: ./aaa.txt/Input::READER_ASCII: Init: cannot open ./aaa.txt;
>>>> headers are incorrect
>>>>
>>>> error: ./aaa.txt/Input::READER_ASCII: Init failed
>>>>
>>>>
>>>> if aaa.txt is tsv file and with out redef separator, it works fine
>>>>
>>>> Is there a way to read a file which is not tsv
>>>>
>>>>
>>>> here is my sample aaa.txt and bro script
>>>>
>>>> aaa.txt
>>>>
>>>> #fields sip sport dip dport
>>>>
>>>> 192.168.1.116 61711 172.16.100.132 22
>>>>
>>>>
>>>>
>>>> bro script
>>>>
>>>> export {
>>>>
>>>> type Val: record {
>>>>
>>>> sip: addr;
>>>>
>>>> sport: port;
>>>>
>>>> dip: addr;
>>>>
>>>> dport: port;
>>>>
>>>> };
>>>>
>>>> redef Input::separator = " ";
>>>>
>>>> }
>>>>
>>>>
>>>> event TEST(description: Input::EventDescription, tpe: Input::Event, sip:
>>>> addr, sport: port, dip: addr, dport: port){
>>>>
>>>> print fmt("%s %d %s %d",sip,sport,dip,dport);
>>>>
>>>> }
>>>>
>>>>
>>>> event bro_init()
>>>>
>>>> {
>>>>
>>>> print fmt("test");
>>>>
>>>> Input::add_event([$source="./aaa.txt", $name="test", $fields=Val,
>>>> $ev=TEST ,$want_record=F]);
>>>>
>>>> }
>>>>
>>>>
>>>> --
>>>> ------------------------------------------------------
>>>> Hichul Kim 김희철 선임 연구원
>>>>
>>>> Naru Security (주)나루씨큐리티
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
--
------------------------------------------------------
Hichul Kim 김희철 선임 연구원
Naru Security (주)나루씨큐리티
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160120/b8770094/attachment.html
More information about the Bro
mailing list