Interprocess Communication from BroScript

Hi all,

I have some C code that analyses data (inc. URLs, domains) that I want to invoke from Bro to extract additional data from network data. I envisage this data being an extra column in the resultant bro log files.

I’m fairly sure I can do this with awk retrospectively but wanted to ask the list whether it was possible using some of the IPC commands in the language. Reading the specifications for these functions there appears to be no way to invoke the commands and receive non-trivial output.

The commands i’m looking at are
system,system_env - returns the return code from the command (limited to being an integer) - i thought about returning the result into an environment variable, but that would require invoked command to be recompiled
piped_exec - only returns true/false on success failure

Has anybody else done anything similar?
Are there anyways to load modules, call c functions (or functions in scripting languages) from the bro language?

Thanks in advance

James

Hi James:

Sounds like you could use the Broccoli library to perform the task you are envisioning: http://www.bro.org/download/README.broccoli.html

Jim Mellander
NERSC Cybersecurity

Bro 2.2 beta has an exec module.

----script------
redef exit_only_after_terminate = T;

@load base/utils/exec
event bro_init()
  {
  when ( local result = Exec::run([$cmd="date"]) )
    {
    print result;
    }
  timeout 5secs
    {
    print "Hm, it didn't return.";
    }
  }
-----end script-----

$ bro -b ./test-exec.bro
[exit_code=0, signal_exit=F, stdout=[Wed Oct 2 14:59:02 EDT 2013], stderr=<uninitialized>, files=<uninitialized>]

.Seth

Thanks Seth, I think this is exactly what I need, so I’m going to install 2.2. Beta now!
James