Syntax error in policy

Jose_M_Duart · March 2, 2004, 4:23pm

Hello all,

i'm trying to use Bro as a prelude sensor. There is a patch for Bro 8a20 and i
adapted the changes on the source to Bro8a70. Bro compiled fine but there is a
problem with when i try to execute it, fails with this syntax error:

# bro -i eth0 ./policy/prelude.bro
./policy/prelude.bro, line 50: error: syntax error, at or near "log_prelude"

The affected lines are:

47: local msg = a ?$ sub ? fmt("msg: %s -- sub: %s", a$ msg, a$ sub) : a$ msg;
48: local log_msg = fmt("alert: %s -- %s", msg, addl);

50: log_prelude( ip_src, port_src, ip_dst, port_dst, proto, log_msg ) ;
51: } # end of function

This policy file worked fine with versions 8a20 and 8a34. Any ideas?
If anyone is interested in the full modified source, i put it in

http://pikachute.uv.es/elas/bro-prelude.tgz

Thanks in advance
Jose M Duart

robin · March 3, 2004, 9:46am

"log_prelude" seems to be a new keyword. In parse.in the token
TOK_LOG_PRELUDE is defined, but it's not contained in any grammar
rule. Is it possible that there's a part of the patch missing?

Robin

Jose_M_Duart · March 3, 2004, 9:02pm

You are correct, thank you very much. "log_prelude" is a new keyword and is like
the "log" keyword (with small differences). I was adapting the 8a20 patch
searching for TOK_LOG and adding the Prelude code. I don't know why but i've
missed this change

I've added these lines to parse.in

    > TOK_LOG_PRELUDE '(' expr_list ')' ';'
            {
                $$ = new LogPreludeStmt($3);
            }

and Bro run successfully. I'm going to test it a while and if it works fine i
will post the patch.

Thanks again. Regards.
Jose M Duart

Robin Sommer <sommer@in.tum.de> va escriure:

Topic		Replies	Views
(no subject) Zeek	3	83	May 6, 2022
BRO prelude sensor Zeek	2	131	May 6, 2022
Error in listen.bro, line 6 Zeek	3	146	May 6, 2022
Debugging policy Zeek	3	94	May 6, 2022
error compiling pattern: ver. 1.2.1 Zeek	3	203	May 6, 2022

Syntax error in policy

Related topics