Playing with the input framework

Zeek
1

Hi,

I recently finished reading about the new input framework http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it very interesting. As a first step, i tried implementing the example about reading data into tables mentioned here http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html. My bro and source blacklist file look like this:

---------------------------------try.bro----------------------------------------------
module Try;

type Idx: record {
ip: addr;
};

type Val: record {
timestamp: time;
reason: string;
};

global blacklist: table[addr] of Val = table();

event bro_init()
{
print “hello”;
Input::add_table([$source=“bl.txt”, $name=“bl_stream”, $idx=Idx, $val=Val, $destination=Try::blacklist]);
Input::remove(“bl_stream”);
print “bye”;
}

event Input::update_finished(name: string, source: string)
{

now all data is in the table

print “Updated”;
print Try::blacklist;
}

----------------------------bl.txt---------------------------------------------

#fields ip timestamp reason
#types addr time string
192.168.17.1 1333252748 Malware host
192.168.27.2 1330235733 Botnet server
192.168.250.3 1333145108 Virus detected

2

Hello Sheharabano,

I just tried your example and it seems to work fine. Please note that the fields in the file “bl.txt” need to be separated with tabulators - including the header lines. If you simply copied the example from the website it probably ended up being separated with spaces.

The input frameworks outputs error messages. These are written into the file reporter.log (where most Bro error messages end up).

If the file contains a line that looks like
“Reporter::ERROR InputReader/bl.txt: Not enough fields in line…”
the framework is complaining about missing tabulators-fields (because it is not finding enough tab-separated entries in the line it read).

I hope that helps - if it still does not solve your problem please write again.

Johanna

3

Thank you. Indeed there was a tabulation problem. On a side note, how do you decide which errors are directed to the console and which ones are reported in reporter.log ?

Regards,

4

Nearly everything ends up in reporter.log.

The only things (I know of) that are directly reported to the command line are fatal errors like wrong command line switches or syntax errors in scripts that are encountered while parsing them.

Johanna