[Bro] bif example

Johanna Amann johanna at icir.org
Wed Jan 18 16:34:46 PST 2017 

Hi,

> I have a question about BIF example
> <https://www.bro.org/development/howtos/bif-doc/example.html>. I am trying
> to write my own BIF functions. I'd like to store some  data (i.e. pass in a
> record to a BIF function) and retrieve it later as a record when I am
> processing traffic.

I am not quite sure that I understand - do you want the bif to store data
that can be accessed later by the same (or a different) bif? I am not sure
if I know of anyone doing that - it is more common for a bif to return
data, that the user then can store somewhere in scriptland (e.g. in the
connection record).

> In the example, I see 'foobar' record is defined in bro.init. There is a
> declaration of foobar record in types.bif. This is being accessed in
> bro.bif. How is the 'foobar' record type resolved when it's referenced
> in bro.bif? Is the example complete or is it missing some includes and
> such?

The example is a bit out of date here as bro.init does not exist anymore.
I assume the best way to see how something like this works is to look at
the bifs that are added by one of the individual protocol or file
analyzers, since they are smaller, all necessary files are contained in a
directory, and they work very similar to how you would add bifs in a
package that you create.

That being said, the general approach is correct - you create a type in
scriptland, e.g. by adding it to init-bare.bro, you then can add it to
types.bif, and use it, either globally in bro.bif (which is a bit
special), or if you are creating your own functions.bif, in there, after
including types.bif.h.

> I tried to the same but my bro script fails because my bif file doesn't
> know about my record type. I included my 'types.bif.h' in my bif file get
> it compiled without errors. But it fails to load because it does not know
> about my record type. I get the error 'identifier not defined:'. Any help
> is appreciated. Thanks.

That sounds like more of a problem with the original definition of the
type - where exactly did you define it? init-bare?

Johanna

More information about the Bro mailing list