Bro脚本语法3-属性（Attributes）

最新推荐文章于 2021-05-30 00:15:38 发布

mhpmii

最新推荐文章于 2021-05-30 00:15:38 发布

阅读量1.3k

点赞数

CC 4.0 BY-SA版权

分类专栏： bro入侵检测工具教程文章标签：脚本语言

本文链接：https://blog.youkuaiyun.com/mhpmii/article/details/52936319

bro入侵检测工具教程专栏收录该内容

8 篇文章

订阅专栏

本文详细介绍了Bro脚本语言的属性，包括&redef、&priority、&log等，涉及事件处理优先级、日志记录、容器元素过期处理等方面，帮助理解Bro脚本的高级特性。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Bro脚本语法3-属性（Attributes）

@(教程)[Bro]

Bro 脚本语言支持下面这些属性

名称	描述
&redef	重新定义一个全局的常量或者扩展一种类型.
&priority	指示event 或者hook的优先级.
&log	标记record中的字段写入日志.
&optional	允许字段为空
&default	指定默认参数.
&add_func	为每个 “redef +=”指定调用函数.
&delete_func	和 “&add_func”一样, 只不过是为 “redef -=”指定.
&expire_func	为“container element expires”指定调用函数.
&read_expire	指定读超时间隔.
&write_expire	指定写超时间隔.
&create_expire	指定创建的超时间隔.
&synchronized	Synchronize a variable across nodes.
&persistent	Make a variable persistent (written to disk).
&rotate_interval	轮询（Rotate)文件时间间隔.
&rotate_size	轮询（Rotate）文件大小.
&encrypt	写文件的时候加密.
&raw_output	以原始模式打开文件 (chars. are not escaped).
&mergeable	Prefer set union for synchronized state.
&error_handler	Used internally for reporter framework events.
&type_column	Used by input framework for “port” type.
&deprecated	Marks an identifier as deprecat.

属性详解

&redef

允许使用 redef 来重新定义通过 global 和 const 初始化的全局变量，例：

const clever = T &redef;
global cached_size = 256 &redef;

注意通过global 声明的变量可以通过赋语句修改它的值（而不用关心是否有&redef 关键字）

&priority

为 event 或 hook 的handler 指定执行的优先级，数值高的先执行，默认的优先级是0
例：

event bro_init() &priority=10
{
    print "hight priority"
}

&log

写一个 record 字段到相关的日志流（log stream）

&optional

允许record 中某个字段为空（初始化或者赋值的时候）

typde myrec:record{a:addr,b:port &potiinal;};
loca r = myrec ( $ a=127.0.0.1) ; 
local r2 = myrec($a=127.0.0.1, $b=80/tcp):

通过 ?$ 来检测某个字段是否存在

&default

指定某个字段的默认值(record字段, 容器元素，function/hook/event 参数)

type myrec: record { a: count; b: port &default=80/tcp; c: double; };

下面这个例子中，当尝试获取容器中不存在的索引都将返回”foo“

global mytable: table[count] of string &default="foo";

在function/hook/event中使用该属性，要放在参数列表的最后，

function myfunc(a: count, b: port &default=80/tcp)
{
    print a, b;
}
#调用方式1
myfunc(5);
#调用方式2
myfunc(5,53/udp);

&add_func

Can be applied to an identifier with &redef to specify a function to be called any time a “redef += …” declaration is parsed. The function takes two arguments of the same type as the identifier, the first being the old value of the variable and the second being the new value given after the “+=” operator in the “redef” declaration. The return value of the function will be the actual new value of the variable after the “redef” declaration is parsed.

&delete_func

Same as &add_func, except for redef declarations that use the “-=” operator.

&expire_func

Called right before a container element expires. The function’s first parameter is of the same type of the container and the second parameter the same type of the container’s index. The return value is an interval indicating the amount of additional time to wait before expiring the container element at the given index (which will trigger another execution of this function).

&read_expire

Specifies a read expiration timeout for container elements. That is, the element expires after the given amount of time since the last time it has been read. Note that a write also counts as a read.

&write_expire

Specifies a write expiration timeout for container elements. That is, the element expires after the given amount of time since the last time it has been written.

&create_expire

Specifies a creation expiration timeout for container elements. That is, the element expires after the given amount of time since it has been inserted into the container, regardless of any reads or writes.

&synchronized

Synchronizes variable accesses across nodes. The value of a &synchronized variable is automatically propagated to all peers when it changes.

&persistent

Makes a variable persistent, i.e., its value is written to disk (per default at shutdown time).

&rotate_interval

Rotates a file after a specified interval.

Note: This attribute is deprecated and will be removed in a future release.

&rotate_size

Rotates a file after it has reached a given size in bytes.

Note: This attribute is deprecated and will be removed in a future release.

&encrypt

Encrypts files right before writing them to disk.

Note: This attribute is deprecated and will be removed in a future release.

&raw_output

Opens a file in raw mode, i.e., non-ASCII characters are not escaped.

&mergeable

Prefers merging sets on assignment for synchronized state. This attribute is used in conjunction with &synchronized container types: when the same container is updated at two peers with different values, the propagation of the state causes a race condition, where the last update succeeds. This can cause inconsistencies and can be avoided by unifying the two sets, rather than merely overwriting the old value.

&error_handler

Internally set on the events that are associated with the reporter framework: reporter_info, reporter_warning, and reporter_error. It prevents any handlers of those events from being able to generate reporter messages that go through any of those events (i.e., it prevents an infinite event recursion). Instead, such nested reporter messages are output to stderr.

&type_column

Used by the input framework. It can be used on columns of type port (such a column only contains the port number) and specifies the name of an additional column in the input file which specifies the protocol of the port (tcp/udp/icmp).

In the following example, the input file would contain four columns named “ip”, “srcp”, “proto”, and “msg”:

type Idx: record {
    ip: addr;
};


type Val: record {
    srcp: port &type_column = "proto";
    msg: string;
};

&deprecated

The associated identifier is marked as deprecated and will be removed in a future version of Bro. Look in the NEWS file for more instructions to migrate code that uses deprecated functionality.