[Bro] binpac to bro script types
Vlad Grigorescu
vladg at illinois.edu
Fri May 26 08:54:20 PDT 2017
Well, I think you're on the right track. You need to do something like
this line in smb-time.pac:
> Val* bro_ts = new Val(secs, TYPE_TIME);
The Val constructor with a type of time takes a double of seconds since
the epoch (UNIX time) and gives you the Bro script timestamp val. How
you actually convert whatever format you're working to UNIX time is up
to you and dependent on the format.
Does that make sense? If you can provide more information on how the
timestamp is actually stored, someone might be able to help figure out
how to convert it.
--Vlad
"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:
> Hi all,
>
> I'm writing a plug-in for Bro and I'm having troubles to pass types like timestamps from binpac code to the generated bro events.
>
> I snooped the code under `src/analyzer/protocol/krb/krb-analyzer.pac` to check out how they build data structures for Bro scripts and that works.
>
> But when it comes to pass a uint[8] into a bro timestamp, I don't know how to do it.
> Any idea?
>
>
> Kind regards
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/1bdaf8d2/attachment.bin
More information about the Bro
mailing list