[Bro] bro script q.
anthony kasza
anthony.kasza at gmail.com
Fri Oct 7 17:08:37 PDT 2016
Look at this script. It does things with PE files.
https://github.com/bro/bro/blob/master/scripts/base/files/pe/main.bro
Someone may want to correct me here:
Line 1 declares a new module, which I believe is analogous to C++
namespaces, named "PE". The export at line 5 declares exported things under
the PE namespace. So, to reference the event log_pe from the global
namespace, as your script is doing, it would need to use PE::log_pe().
Try exporting your function with a module name declared above it.
-AK
On Oct 7, 2016 4:30 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:
> Could you direct me to an example on how to do that? I've only seen export
> being used with export info records... thanks.
>
> On Fri, Oct 7, 2016 at 2:24 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
>> In your example you're defining the same function twice within the global
>> namespace. This might be causing an issue.
>> Try using the module and export functionality of the scripting language.
>>
>> -AK
>>
>> On Oct 7, 2016 3:20 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:
>>
>> Hi,
>> Can a function defined in one script be accessed from another script?
>> Currently, I have the following in two files:
>>
>> File A:
>>
>> global myfunc: function(c: connection, msg: string): string
>>
>> function myfunc(c: connection, msg: string): string
>> {
>> ...
>> print fmt("myfunc: called from %s", msg);
>> ...
>> return mystring;
>> }
>>
>> event someEventA(c: connection, ...)
>> {
>> ...
>> c$fileA$myfunc_result = myfunc(c, "fileA");
>> }
>>
>> File B:
>> global myfunc: function(c: connection, msg: string): string
>>
>> even someEventB(c: connection, ...)
>> {
>> ...
>> c$fileB$myfunc_result = myfunc(c, "fileB");
>> ...
>> }
>>
>> This compiles and runs fine when I run against a pcap. The events
>> 'someEventA' and 'someEventB' write to two different log files. In log
>> fileA, I see all the columns populated include myfunc_result column.
>> However, in log fileB, I the myfunc_result shows the default string 'NA'.
>> In the standard out file, I only see 'myfunc: called from fileA' messages.
>>
>> Since the myfunc function is performing a lookup on a table (loaded from
>> file on disk), I'd like both the events to be able to see the same info.
>> What am I doing wrong which is preventing me from accessing myfunc function
>> from fileB. Thanks.
>>
>> Dk.
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161007/19245a0f/attachment.html
More information about the Bro
mailing list