Using a BiF across C++ and Zeek Policy

JonZeolla · March 12, 2019, 4:15pm

I am working on improving the btests for the kafka writer plugin with the goal of validating some logic in KafkaWriter::DoInit. The best approach that I have so far is to write a BiF and use it in both DoInit and the btest via Zeek policy, but I have only been able to find limited documentation[1][2] on the topic.

I’ve looked around for examples of this approach without success, including in the past few years of the Zeek-dev mailing list archives. I explicitly want to stay away from the assumption that the Manager/Logger has a kafka broker available to it at the time of testing.

My BiF is fairly simple:


function SelectTopicName%(override: string, default: string, fallback: string%) : string
%{

// Things

%}

bifcl appears to be generating the following:

namespace BifFunc { namespace Kafka { extern Val* bro_SelectTopicName(Frame* frame, val_list*); } }

At this point I’m just randomly poking around in Zeek/src trying to find my way - any pointers regarding how to use this function in C++ (or another approach altogether) would be appreciated. Thanks,

1: https://www.zeek.org/development/howtos/bif-doc/index.html#functions
2: https://www.zeek.org/development/howtos/bif-doc/example.html

Jon

Jon_Siwek · March 13, 2019, 5:37pm

If I understand what you want, I think you may treat this just like
calling any other script-layer function from the C++ layer. So for an
example, this would lookup the function you want to call (substitute
the name of the function you want):

https://github.com/zeek/zeek/blob/a36ac12e885a60ee77f9141d4c35882cb53bc1f2/src/broker/Manager.cc#L161

You can also find the definition of "get_option" in the same file in
case that helps to look at.

Then here's an example of calling that function:

https://github.com/zeek/zeek/blob/a36ac12e885a60ee77f9141d4c35882cb53bc1f2/src/broker/Manager.cc#L543-L557

Note that the return value becomes your responsibility -- here it gets
used and then Unref()'d right away to take care of the required memory
management duties.

- Jon

Jan · March 13, 2019, 6:36pm

If you just need to wrap some internal logic you could extract it into a normal C++ function and use a BiF to call that function out of a Bro-Script.

Jan

Jon_Siwek · March 13, 2019, 7:14pm

Re-reading the problem statement, I agree that does seem like all that
may be needed -- factor out a common C++ function that get's called
from inside both the BIF and the DoInit() function.

- Jon

JonZeolla · March 13, 2019, 8:52pm

Ah, that sounds like a better approach! Thanks Jan

Jon

Topic		Replies	Views
Bif tuning / overhaul Development development	4	66	May 6, 2022
about "*.bif files" Zeek	2	62	May 6, 2022
Request for Handholding - BIF Extending Zeek	2	48	May 6, 2022
Extending zeek with rust Zeek	3	89	May 6, 2022
Othe than the CheckString function, how to return a whole complete raw string that may embed NUL characters in a bif function? Development	3	177	April 9, 2023

Using a BiF across C++ and Zeek Policy

Related Topics