Hi all,
in case bro is executed offline on a pcap with:
bro -r file1.pcap script.bro
is there a directive I can insert into script.bro to access the pcap
filename?
many thanks in advance,
Valerio
Hi all,
in case bro is executed offline on a pcap with:
bro -r file1.pcap script.bro
is there a directive I can insert into script.bro to access the pcap
filename?
many thanks in advance,
Valerio
Nope.
-AK
Hi Anthony,
Thanks for your answer.
Let me just generalize my requirement: Is it possible when I start bro
to pass external arguments to a bro script?
I think this feature would be useful in case you want to add some
external info (not strictly present in the pcap or flow that bro i
analyzing) into .log files produced by a bro script.
thanks,
Valerio
Yes, you can override script variables, like this:
# cat args.bro
const pcap_file = "" &redef;
event bro_init()
{
print(pcap_file);
}
# bro ./args.bro 'pcap_file=\"Foo\"'
"Foo"
Robin
Thanks a lot!!!
Valerio
Hi,
I am trying to adapt the suggested methodology to the following
scenario: I have a custom main.bro script in
scripts/base/protocols/proto1/main.bro to which I would like to pass
arguments from command line each and every time I run bro with the
following command
bro -r pcap_file_name.pcap
I set const arg1 =""&redef into main.bro but if I run
bro -r pcap_file_name.pcap 'arg1=\"test\"' I get the following error
error in <params>, line 1: unrecognized character - \
error in <params>, line 1: unrecognized character - "
error in <params>, line 1: unknown identifier test, at or near "test"
many thanks in advance,
Valerio
Try:
bro -r pcap_file_name.pcap -e 'arg1="test"'
-e|--exec <bro code> | augment loaded policies by given code
--Vlad
Valerio <valerio.click@gmx.com> writes:
Thanks!! now it works running following command:
bro -r pcap_file_name.pcap -e 'redef Prot1::arg1="test"'
AND
including 'const arg1=""&redef' within the export block of main.bro
where module Prot1 was defined.
best regards,
Valerio
bro -r pcap_file_name.pcap arg1=test
would have worked.
If I run bro -r pcap_file_name.pcap 'arg1="test"' I get the following error:
error in <params>, line 1: "redef" used but not previously defined (arg1)
regards,
Valerio
That's because you did not define arg1... Also, 'arg1="test"' does not work. arg1=test works. 'arg1=test' would work. "arg1=test" would work, 'arg1="test"' does not work.
$ cat t.bro
const arg1 ="x" &redef ;
event bro_init() {
print arg1;
}
$ bro t.bro
x
$ bro t.bro arg1=test
test
$ bro t.bro 'arg1=test two'
test two
Hi,
thanks for your feedback. However I think I am missing something.
In fact, if I run:
bro -r pcap_file_name.pcap arg1=test
I get the following error
error in <params>, line 1: unknown identifier test, at or near "test"
Please notice that, as I described in my previous mail:
"I have a custom main.bro script in
scripts/base/protocols/proto1/main.bro to which I would like to pass
arguments from command line"
in the main.bro I defined arg1 as const arg1=""&redef within the
export{} block and having define module Prot1;
Even if I run
bro -r pcap_file_name.pcap Prot1::arg1=test
I get the following error
error in <params>, line 1: unknown identifier test, at or near "test"
the same with:
bro -r 28122015-whatsapp_iphone_traffic.pcap 'Wa::arg1=test'
best regards,
Valerio
The different methods do work:
$ cat t.bro
module Foo;
export {
const arg1 ="x" &redef ;
}
event bro_init() {
print arg1;
}
$ bro t.bro
x
$ bro t.bro Foo::arg1=test
test
$ bro t.bro 'Foo::arg1=test two'
test two
$ bro t.bro -e 'redef Foo::arg1="test three"'
test three
Are you actually loading your proto1 script anywhere? local scripts really belong under share/bro/site, not under the base/ directory.
You likely want to move your proto1 directory to share/bro/site and add
@load ./proto1
to share/bro/site/local.bro
Thanks!!
by moving the script from base to share/bro/site it works!!
best,
Valerio