about "*.bif files"

Zeek
1

Hi all,
    At first,I must thanks a lot to Christian,Robin and so on for your help.

    Well,a another question:) There are many *.bif files in src directory.I don't know the format and use of these files.Please explain it as possible as detailed.Thanks!

Best Regards,
Cliff

2

    Well,a another question:) There are many *.bif files in src directory.I don't know the format and use of these files.Please explain it as possible as detailed.Thanks!

Cliff,

The .bif files contain code of Bro built-in functions ("bif" stands for "built-in function"). Built-in functions are implemented in C++ and can be called by policy scripts. The bif compiler (bifcl) takes a .bif file and generate the corresponding C++ segments and Bro language declarations, so that each function only needs be written once in a .bif file and the actual C++/Bro code will be automatically generated.

For example, below is the bif code for function byte_len (in bro.bif):

function byte_len%(s: string%): count
         %{
         return new Val(s->Len(), TYPE_COUNT);
         %}

Note that it first starts with a function prototype in Bro language (but with %( and %)), and between %{ and %} is the C++ implementation of the function. It is translated into the following four pieces by bifcl:

1) A Bro prototype in policy/bro.bif.bro (which is loaded in bro.init):

global byte_len: function(s: string): count;

2) A C++ function prototype in bro.bif.func_h:

extern Val* bro_byte_len(val_list*);

3) A C++ function implementation in bro.bif.func_def (included in Func.cc)

Val* bro_byte_len(val_list* BiF_ARGS)

#line 432 "bro.bif"
{
         if ( BiF_ARGS->length() != 1 )
                 {
                 run_time("byte_len() takes exactly 1 argument(s)");
                 return 0;
                 }
         BroString* s = (BroString*) ((*BiF_ARGS)[0]->AsString());

#line 432 "bro.bif"

         return new Val(s->Len(), TYPE_COUNT);
         } // end of byte_len

4) Initialization code that associates the C++ function with the name "byte_len" in bro.bif.func_init (also included in Func.cc):
         extern Val* bro_byte_len(val_list*);
         (void) new BuiltinFunc(bro_byte_len, "byte_len", 0);

While the bif compiler was originally written for built-in functions only, it was later extended to declare events (in event.bif) and constants (in const.bif) as well. Three additional files are generated for these declarations (.netvar_h, .netvar_def and .netvar_init). How it works is quite straightforward once you take a look at these files (e.g. for event.bif).

I hope it helps. Please feel free to ask if you have further questions.

Ruoming