I would like to dump all events and types at Bro startup. E.g., the
desired output looks somewhat like this:
type conn_id: record { orig_h: addr, ... }
type connection: record { id : conn_id, orig: endpoint, ... }
event new_connection(c : connection)
Two BiFs seem to be very close:
(1) record_type_to_vector(rt: string): vector of string
Converts the record type name rt into a vector of strings, where
each element is the name of a record field. Nested records are
flattened.
(2) global_ids(): table[string] of script_id
Returns a table with information about all global identifiers.
The table value is a record containing the type name of the
identifier, whether it is exported, a constant, an enum
constant, redefinable, and its value (if it has one).
For example,
bro -e 'event bro_init() { print record_type_to_vector("connection"); }'
prints
[, id, orig, resp, start_time, duration, service, addl, hot,
history, uid, dpd, conn, extract_orig, extract_resp, dns, dns_state,
ftp, http, http_state, irc, smtp, smtp_state, ssh, ssl, syslog]
and
bro -e 'event bro_init() { print global_ids(); }'
returns a list of identifiers. Here are some connection-related ones:
[connection] = [type_name=record, exported=F, constant=F,
enum_constant=F, redefinable=F, value=<uninitialized>],
[remote_connection_established] = [type_name=func, exported=T,
constant=T, enum_constant=F, redefinable=F,
value=remote_connection_established
Communication::do_script_log(Communication::p, connection established);
[lookup_connection] = [type_name=func, exported=T, constant=F,
enum_constant=F, redefinable=F, value=lookup_connection],
[connection_finished] = [type_name=func, exported=T, constant=T,
enum_constant=F, redefinable=F, value=connection_finished
[connection_established] = [type_name=func, exported=T,
constant=T, enum_constant=F, redefinable=F,
value=connection_established
The problem is that (i) record_type_to_vector flattens nested records,
which makes it impossible to recover the true underlying type structure,
and (ii) events are merely listed as a function, without named
arguments.
Has anyone come across a similar problem? My hope is to get this
information at the script land, but it looks like the information is not
readily available without tweaking some BiFs.
Matthias