[Bro] bro script q.

anthony kasza anthony.kasza at gmail.com
Fri Oct 7 19:42:51 PDT 2016


Was that your issue? If you want to PM me your scripts I can take a look.

-AK

On Oct 7, 2016 6:16 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:

> Thanks,
> I figured it after sending the email. Thanks.
>
> On Fri, Oct 7, 2016 at 5:08 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
>> Look at this script. It does things with PE files.
>>
>> https://github.com/bro/bro/blob/master/scripts/base/files/pe/main.bro
>>
>> Someone may want to correct me here:
>> Line 1 declares a new module, which I believe is analogous to C++
>> namespaces, named "PE". The export at line 5 declares exported things under
>> the PE namespace. So, to reference the event log_pe from the global
>> namespace, as your script is doing, it would need to use PE::log_pe().
>> Try exporting your function with a module name declared above it.
>>
>> -AK
>>
>> On Oct 7, 2016 4:30 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:
>>
>>> Could you direct me to an example on how to do that? I've only seen
>>> export being used with export info records... thanks.
>>>
>>> On Fri, Oct 7, 2016 at 2:24 PM, anthony kasza <anthony.kasza at gmail.com>
>>> wrote:
>>>
>>>> In your example you're defining the same function twice within the
>>>> global namespace. This might be causing an issue.
>>>> Try using the module and export functionality of the scripting language.
>>>>
>>>> -AK
>>>>
>>>> On Oct 7, 2016 3:20 PM, "Dk Jack" <dnj0496 at gmail.com> wrote:
>>>>
>>>> Hi,
>>>> Can a function defined in one script be accessed from another script?
>>>> Currently, I have the following in two files:
>>>>
>>>> File A:
>>>>
>>>> global myfunc: function(c: connection, msg: string): string
>>>>
>>>> function myfunc(c: connection, msg: string): string
>>>> {
>>>>    ...
>>>>    print fmt("myfunc: called from %s", msg);
>>>>    ...
>>>>    return mystring;
>>>> }
>>>>
>>>> event someEventA(c: connection, ...)
>>>> {
>>>>     ...
>>>>     c$fileA$myfunc_result = myfunc(c, "fileA");
>>>> }
>>>>
>>>> File B:
>>>> global myfunc: function(c: connection, msg: string): string
>>>>
>>>> even someEventB(c: connection, ...)
>>>> {
>>>>     ...
>>>>     c$fileB$myfunc_result = myfunc(c, "fileB");
>>>>     ...
>>>> }
>>>>
>>>> This compiles and runs fine when I run against a pcap. The events
>>>> 'someEventA' and 'someEventB' write to two different log files. In log
>>>> fileA, I see all the columns populated include myfunc_result column.
>>>> However, in log fileB, I the myfunc_result shows the default string 'NA'.
>>>> In the standard out file, I only see 'myfunc: called from fileA' messages.
>>>>
>>>> Since the myfunc function is performing a lookup on a table (loaded
>>>> from file on disk), I'd like both the events to be able to see the same
>>>> info. What am I doing wrong which is preventing me from accessing myfunc
>>>> function from fileB. Thanks.
>>>>
>>>> Dk.
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161007/983893db/attachment.html 


More information about the Bro mailing list