Hui Lin_can I directly call linux shell script within event handler


Within Bro’s event handler, can I use bro’s script to call Linux shell script or perl script directly?

If not, I think at least, I can let bro to communicate to broccoli’s client and let it to call a shell script.



Within Bro's event handler, can I use bro's script to call Linux shell
script or perl script directly?

You can use Bro's system function to execute an arbitrary command:

    system(s: string): int

        Invokes a command via the system function. Returns true if the
        return value of system was non-zero. Returns the return value
        from the system() call. Note that this corresponds to the status
        of backgrounding the given command, not to the exit status of
        the command itself. A value of 127 corresponds to a failure to
        execute sh, and -1 to an internal system failure. Furthermore,
        the command is run in the background with stdout redirected to

It is good idea to call

    str_shell_escape(source: string): string

on the argument to system.


That function is actually much less necessary now that we have the piped_exec function. str_shell_escape is only supposed to be used for data being put between double quotes so that the input doesn't escape from the double quoting.

This is obviously super dangerous:
  system(fmt("rm \"%s\"", sniffed_data));
This is better:
  system(fmt("rm \"%s\"", str_shell_escape(sniffed_data)));

If you need to supply something on STDIN to the program you are executing, you should use the piped_exec function. You can provide the data supplied on STDIN as an argument to the function.