Hello all,
I am new to Bro and to the concept of a mailing-list-type forum. If this is not the best place for me to post my questions, please let me know what is so that I don’t waste anyone’s time.
I am trying to write a script that utilizes the new_connection event. The code is as follows:
@load base/protocols/conn
event new_connection(c: connection)
{
print “hello”; #simplified definition for the purposes of email
}
When I run this with “bro test.bro”, I get the following error: error in ./test.bro, line 30: unknown identifier c, at or near “c”
I pulled this syntax straight from the “Scripting in Bro” examples page. Is there something else that I need to load? I am running the release version of Bro (2.1)
Thanks,
Connar Rosebraugh
line 30? What exactly is in test.bro? What is line 30? The 3 lines you
posted work fine by themselves.
type ConnDelta: record{
#time connection was last seen.
#consider updating to a set, and taking the stdev of the times
lastSeen: time;
delta: interval;
};
function update_time(t: time, c: ConnDelta): interval
{
c$delta = c$lastSeen - t;
c$lastSeen = t;
}
#event bro_init()
#{
# local t1 = current_time();
# local t2 = network_time();
# local t3: interval = t1 - t2;
#
# print t1;
# print t2;
# print t3;
#}
local connection_deltas: table[addr, addr, port] of ConnDelta;
This needs to be 'global' not 'local'. Possibly a parser bug that it
doesn't return a more helpful error message since it clearly gets
confused.
@load base/protocols/conn
#event new_connection(c: connection)
event new_connection(c: connection)
{
update_time(c$start_time, connection_deltas[c$id$orig_h, c$id$resp_h, c$id$resp_p]);
}
The next problem you will run into is that you need to set &default for
connection_deltas that returns a default ConnDelta object for the first
time that this tuple is seen.