Hi,
I’m trying to better understand Bro’s architecture and what is the significance of the “main.bro” files in relation to the other .bro files? I’m guessing some heirarchal purpose, but I don’t see a “main.bro” file in every folder that contains a .bro file itself. Is someone able to better explain?
Thanks!
As far as I’m aware, main.bro isn’t actually special. It’s just a pseudo-standard (maybe a real standard, even) for a main/primary bro script for a folder/organizational area. What is special is load.bro. If you use @load to load a directory, it will look there for local.bro, and then follow whatever instructions it finds (@load or @load-sigs, for instance). You will sometimes find that load.bro has a @load ./main.bro statement in it. For instance: https://github.com/bro/bro/blob/master/scripts/base/frameworks/files/load.bro
So, for instance, if you go to local.bro, you will find @load tuning/defaults, then if you go to the tuning/defaults folder, you find a load.bro, which will be followed to load some bro scripts which are /not/ main.bro. In this situation, main.bro doesn’t exist for tuning/defaults, and that’s fine.
Another example is, go to local.bro, and find @load misc/detect-traceroute (commented out by default). But if you follow what would happen if this was uncommented, it would go to misc/detect-traceroute, load load.bro due to convention, and then the relative main.bro /is/ loaded because it’s specified in load.bro.
Hope that helps - also, please correct me if there is an actual main.bro convention anywhere that I’m not aware of.
Jon
That was a great description, and no, there is no formal standard around that. It's just a convention we started using a long time ago.
.Seth