1.I have read some source code of Bro. And confused about the state diagram
(or called event sequence diagram). Would you do me a favour , send the
state diagram to me. It will help me to understand the Bro'work.
I don't now what you mean by the event sequence diagram. The basic
structure of how packets flow up from the network, through libpcap,
into the event engine, and there are transformed into events, is outlined
in the Bro paper that comes with the distribution (see doc/bro-CN99.ps).
2.How the functions and events difined in *.bro , are been used in *.cc .
See NetVar.{h,cc}, which imports the variables into the event engine.
Each also is defined in policy/bro.init (which provides the typing
information). There's no automated mechanism for this (we may add one
in a bit); instead, you edit the changes into policy/bro.init, NetVar.cc,
and NetVar.h.
Is there some function like: call_event ( event bro_event, ... ) ,
call_function ( function bro_function, ...) .
You can see how this works for a function by following the references
to "log_hook" in the sources. You can see it for an event by following
any of the many events that are invoked, for example, "connection_established".
3.There is some table defined like this :
global active_conn: table[conn_id] of connection;
...
active_conn[c$id] = c; //???But the type of c$id is not a int.How large
//the active_conn is?
Tables can be indexed by records, providing that all of the components
of the records are scalar (non-aggregate) types.
4.When I invoke Bro : ./bro -i eth0 stepping.bro, it does not print the
information about stepping stone until the link is terminated. Is there
some way to report the stepping stone when the stepping stone is active(
real time).
You can modify the script to use "log" (which logs alerts immediately),
or to flush the stepping stone log file using flush_all().
Vern