[Bro] bro script q.

Dk Jack dnj0496 at gmail.com
Fri Oct 7 17:16:55 PDT 2016


Thanks,
I figured it after sending the email. Thanks.

On Fri, Oct 7, 2016 at 5:08 PM, anthony kasza <anthony.kasza at gmail.com>
wrote:

> Look at this script. It does things with PE files.
>
> https://github.com/bro/bro/blob/master/scripts/base/files/pe/main.bro
>
> Someone may want to correct me here:
> Line 1 declares a new module, which I believe is analogous to C++
> namespaces, named "PE". The export at line 5 declares exported things under
> the PE namespace. So, to reference the event log_pe from the global
> namespace, as your script is doing, it would need to use PE::log_pe().
> Try exporting your function with a module name declared above it.
>
> -AK
>
> On Oct 7, 2016 4:30 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:
>
>> Could you direct me to an example on how to do that? I've only seen
>> export being used with export info records... thanks.
>>
>> On Fri, Oct 7, 2016 at 2:24 PM, anthony kasza <anthony.kasza at gmail.com>
>> wrote:
>>
>>> In your example you're defining the same function twice within the
>>> global namespace. This might be causing an issue.
>>> Try using the module and export functionality of the scripting language.
>>>
>>> -AK
>>>
>>> On Oct 7, 2016 3:20 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:
>>>
>>> Hi,
>>> Can a function defined in one script be accessed from another script?
>>> Currently, I have the following in two files:
>>>
>>> File A:
>>>
>>> global myfunc: function(c: connection, msg: string): string
>>>
>>> function myfunc(c: connection, msg: string): string
>>> {
>>>    ...
>>>    print fmt("myfunc: called from %s", msg);
>>>    ...
>>>    return mystring;
>>> }
>>>
>>> event someEventA(c: connection, ...)
>>> {
>>>     ...
>>>     c$fileA$myfunc_result = myfunc(c, "fileA");
>>> }
>>>
>>> File B:
>>> global myfunc: function(c: connection, msg: string): string
>>>
>>> even someEventB(c: connection, ...)
>>> {
>>>     ...
>>>     c$fileB$myfunc_result = myfunc(c, "fileB");
>>>     ...
>>> }
>>>
>>> This compiles and runs fine when I run against a pcap. The events
>>> 'someEventA' and 'someEventB' write to two different log files. In log
>>> fileA, I see all the columns populated include myfunc_result column.
>>> However, in log fileB, I the myfunc_result shows the default string 'NA'.
>>> In the standard out file, I only see 'myfunc: called from fileA' messages.
>>>
>>> Since the myfunc function is performing a lookup on a table (loaded from
>>> file on disk), I'd like both the events to be able to see the same info.
>>> What am I doing wrong which is preventing me from accessing myfunc function
>>> from fileB. Thanks.
>>>
>>> Dk.
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161007/4ba105b6/attachment-0001.html 


More information about the Bro mailing list