[Bro] Conceptual question on main.bro files

Zeolla@GMail.com zeolla at gmail.com
Tue Feb 14 12:12:13 PST 2017


As far as I'm aware, main.bro isn't actually special.  It's just a
pseudo-standard (maybe a real standard, even) for a main/primary bro script
for a folder/organizational area.  What is special is __load__.bro.  If you
use @load to load a directory, it will look there for __local__.bro, and
then follow whatever instructions it finds (@load or @load-sigs, for
instance).  You will sometimes find that __load__.bro has a `@load
./main.bro` statement in it.  For instance:
https://github.com/bro/bro/blob/master/scripts/base/frameworks/files/__load__.bro

So, for instance, if you go to local.bro
<local.brohttps://github.com/bro/bro/blob/master/scripts/site/local.bro>,
you will find `@load tuning/defaults`, then if you go to the tuning/defaults
<https://github.com/bro/bro/tree/master/scripts/policy/tuning/defaults> folder,
you find a __load__.bro
<__load__.brohttps://github.com/bro/bro/blob/master/scripts/policy/tuning/defaults/__load__.bro>,
which will be followed to load some bro scripts which are /not/ main.bro.
In this situation, main.bro doesn't exist for tuning/defaults, and that's
fine.

Another example is, go to local.bro, and find `@load
misc/detect-traceroute` (commented out by default).  But if you follow what
would happen if this was uncommented, it would go to misc/detect-traceroute
<https://github.com/bro/bro/tree/master/scripts/policy/misc/detect-traceroute>,
load __load__.bro due to convention, and then the relative main.bro
<main.brohttps://github.com/bro/bro/blob/master/scripts/policy/misc/detect-traceroute/main.bro>
/is/
loaded because it's specified in __load__.bro.

Hope that helps - also, please correct me if there is an actual main.bro
convention anywhere that I'm not aware of.

Jon

On Tue, Feb 14, 2017 at 2:54 PM Espresso Beanies <espressobeanies at gmail.com>
wrote:

> Hi,
>
> I'm trying to better understand Bro's architecture and what is the
> significance of the "main.bro" files in relation to the other .bro files?
> I'm guessing some heirarchal purpose, but I don't see a "main.bro" file in
> every folder that contains a .bro file itself. Is someone able to better
> explain?
>
> Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Jon

Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/eb95e7d3/attachment.html 


More information about the Bro mailing list