1 - how can I iterate thru the name/value pairs in any given bro event
type?
For example, if I were to do the following:
*** begin script ***
Event file_new(f:fa_file) {
local finfo = f$info;
local fuid = f$id;
local fsource = f$source;
local ftype = f$type;
local fname = f$name;
print fmt(©ø*** found %s in %s. saved as %s. FileID is %s. \n File info is
%s.©÷, ftype, fsource, fname, fuid, finfo);
*** end script ***
The finfo variable contents would be displayed. (is this a complete list
of the name/value pairs?)
I would like to do the same with "event file_hash©÷ but cannot understand
how to display a similar variable to that of ©øinfo©÷.
2 - as an extension of the above enumeration question, how do I determine
what elements in a given event are available for me to use for
conditionals/structured programming/etc?
My first goal is to understand the variable types that are defined and be
able to explain that to my students. Then we can move on to use them to
create scripts to act on interesting things. Finally, I would like to
explore machine learning with bro.
Thanks!
Bill
Bill.stackpole@rit.edu