[Zeek] Making Broker Optional in Script

Justin Azoff justin at corelight.com
Mon Nov 25 16:09:51 PST 2019 

@if is only evaluated once when scripts are parsed.  If you are changing
broker_enable you have to do it before your script is loaded.

Also, instead of

@if( /^3\./ in bro_version() )

you can just do

@ifdef(zeek_init)



On Mon, Nov 25, 2019 at 5:21 PM Andrew Klaus <andrew at aklaus.ca> wrote:

> This is the exact script I'm trying to load Broker with at run-time:
> https://raw.githubusercontent.com/cybera/zeek-sniffpass/broker/scripts/main.bro
>
>
> When I run the default script without Broker, everything runs fine since
> the default is disabled (const broker_enable = F &redef;).
>
> However, when I try to override this on Zeek 3.0.0 with Broker 1.2.3 in my
> local.zeek file:
> ----
> # local.zeek
> redef SNIFFPASS::broker_enable = T;
> ----
>
> The `@if (SNIFFPASS::broker_enable)`  doesn't pass after I deploy+restart
> Zeek with the default overridden. It does work when I hardcode it to True
> in the script however:
> ---
> # main.zeek
>
> export {
> ...
> const broker_enable = T &redef;
> }
> ...
> ----
>
> So I know my logic is okay and it's just an issue trying to override
> broker_enable.
>
> Thanks!
> Andrew
>
> On Mon, Nov 25, 2019 at 11:45 AM Andrew Klaus <andrew at aklaus.ca> wrote:
>
>> Hello,
>>
>> I have a Zeek script that I would like to add optional Broker
>> functionality to. I don't want it to be a requirement, so I'm adding
>> run-time redef options that can be toggled to enable/disable it.
>>
>> Something like:
>> -------
>> export {
>>     const broker_enable = F &redef;
>> }
>>
>> @if (MODULE::broker_enable)
>> event bro_init()
>> {
>>   Broker::listen("127.0.0.1", 9999/tcp);
>> }
>> @endif
>> -------
>>
>> When I attempt to add this line to my local.bro/zeek file after the @load
>> package:
>> ---
>> redef MODULE::broker_enable = T;
>> ---
>>
>> It won't override broker_enable and thus doesn't listen on the socket. I
>> assume that it's because the @load happens before the redef in local.bro,
>> and thus doesn't override when it checks for the @if ?
>>
>> Is there a better way that I can do this? Like checking if Broker is
>> actually available?  I tried this, but it doesn't work either:
>> ---
>> @ifdef (Broker)
>> print "Broker Enabled";
>> @endif
>> ---
>>
>> Thanks in advance,
>>
>> Andrew
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191125/f42b8505/attachment.html

More information about the Zeek mailing list