extern int bro_debug_calltrace; extern int bro_debug_messages; void (*BroEventFunc) (BroConn *bc, ...); BroConn* bro_conn_new (struct in_addr *ip_addr, uint16 port, int flags); BroConn* bro_conn_new_str (const char *hostname, int flags); void bro_conn_set_class (BroConn *bc, const char *classname); const char* bro_conn_get_peer_class (const BroConn *bc); int bro_conn_connect (BroConn *bc); int bro_conn_alive (const BroConn *bc); int bro_conn_delete (BroConn *bc); void bro_conn_adopt_events (BroConn *src, BroConn *dst); int bro_conn_get_fd (BroConn *bc); int bro_conn_process_input (BroConn *bc); void bro_conn_data_set (BroConn *bc, const char *key, void *val); void* bro_conn_data_get (BroConn *bc, const char *key); void* bro_conn_data_del (BroConn *bc, const char *key); BroEvent* bro_event_new (const char *event_name); void bro_event_free (BroEvent *be); int bro_event_add_val (BroEvent *be, int type, const char *type_name, const void *val); int bro_event_set_val (BroEvent *be, int val_num, int type, const char *type_name, const void *val); int bro_event_send (BroConn *bc, BroEvent *be); int bro_event_queue_length (BroConn *bc); int bro_event_queue_flush (BroConn *bc); void bro_event_registry_add (BroConn *bc, const char *event_name, BroEventFunc func, void *user_data); void bro_event_registry_remove (BroConn *bc, const char *event_name); void bro_event_registry_request (BroConn *bc); BroBuf* bro_buf_new (void); void bro_buf_free (BroBuf *buf); int bro_buf_append (BroBuf *buf, void *data, int data_len); void bro_buf_consume (BroBuf *buf); void bro_buf_reset (BroBuf *buf); uchar* bro_buf_get (BroBuf *buf); uchar* bro_buf_get_end (BroBuf *buf); uint bro_buf_get_size (BroBuf *buf); uint bro_buf_get_used_size (BroBuf *buf); uchar* bro_buf_ptr_get (BroBuf *buf); uint32 bro_buf_ptr_tell (BroBuf *buf); int bro_buf_ptr_seek (BroBuf *buf, int offset, int whence); int bro_buf_ptr_check (BroBuf *buf, int size); int bro_buf_ptr_read (BroBuf *buf, void *data, int size); int bro_buf_ptr_write (BroBuf *buf, void *data, int size); int bro_conf_get_int (const char *val_name, int *val); int bro_conf_get_dbl (const char *val_name, double *val); const char* bro_conf_get_str (const char *val_name); void bro_conf_set_domain (const char *domain); void bro_string_init (BroString *bs); int bro_string_set (BroString *bs, const char *s); int bro_string_set_data (BroString *bs, const uchar *data, int data_len); const uchar* bro_string_get_data (const BroString *bs); uint32 bro_string_get_length (const BroString *bs); BroString* bro_string_copy (BroString *bs); void bro_string_cleanup (BroString *bs); void bro_string_free (BroString *bs); BroRecord* bro_record_new (void); void bro_record_free (BroRecord *rec); int bro_record_add_val (BroRecord *rec, const char *name, int type, const char *type_name, const void *val); void* bro_record_get_nth_val (BroRecord *rec, int num, int type); void* bro_record_get_named_val (BroRecord *rec, const char *name, int type); int bro_record_set_nth_val (BroRecord *rec, int num, int type, const char *type_name, const void *val); int bro_record_set_named_val (BroRecord *rec, const char *name, int type, const char *type_name, const void *val); void bro_conn_set_packet_ctxt (BroConn *bc, int link_type); void bro_conn_get_packet_ctxt (BroConn *bc, int *link_type); BroPacket* bro_packet_new (const struct pcap_pkthdr *hdr, const u_char *data, const char *tag); BroPacket* bro_packet_clone (const BroPacket *packet); void bro_packet_free (BroPacket *packet); int bro_packet_send (BroConn *bc, BroPacket *packet); double bro_util_current_time (void); double bro_util_timeval_to_double (const struct timeval *tv); |
extern int bro_debug_calltrace; |
If you have debugging support built in (i.e., your package was configured with --enable-debugging), you can enable/disable debugging output for call tracing by setting this to 0 (off) or 1 (on). Default is "enabled".
extern int bro_debug_messages; |
If you have debugging support built in (i.e., your package was configured with --enable-debugging), you can enable/disable debugging messages by setting this to 0 (off) or 1 (on). Default is "enabled".
void (*BroEventFunc) (BroConn *bc,
...); |
This is the generic signature of callbacks for handling received
Bro events. For details see bro_event_registry_add().
Bro connection handle.
varargs.
BroConn* bro_conn_new (struct in_addr *ip_addr,
uint16 port,
int flags); |
The function creates a new Bro connection handle for communication with Bro through a network. Depending on the flags passed in, the connection and its setup process can be adjusted. If you don't want to pass any flags, use BRO_CFLAG_NONE.
4-byte IP address of Bro to contact, in network byte order.
port of machine at ip_addr to contact, in network byte order.
an or-combination of the BRO_CONN_xxx flags.
pointer to a newly allocated and initialized Bro connection structure. You need this structure for all other calls in order to identify the connection to Bro.
BroConn* bro_conn_new_str (const char *hostname,
int flags); |
The function is identical to bro_conn_new(), but allows you to specify the
host and port to connect to in a string as "<hostname>:<port>". flags can
be used to adjust the connection features and the setup process. If you don't
want to pass any flags, use BRO_CFLAG_NONE.
string describing the host and port to connect to.
an or-combination of the BRO_CONN_xxx flags.
pointer to a newly allocated and initialized Bro connection structure. You need this structure for all other calls in order to identify the connection to Bro.
void bro_conn_set_class (BroConn *bc,
const char *classname); |
Broccoli connections can indicate that they belong to a certain class
of connections, which is needed primarily if multiple Bro/Broccoli
instances are running on the same node and connect to a single remote
peer. You can set this class with this function, and you have to do so
before calling bro_connect()
connection handle.
class identifier.
const char* bro_conn_get_peer_class (const BroConn *bc); |
connection handle.
a string containing the connection class indicated by the peer, if any, otherwise NULL.
int bro_conn_connect (BroConn *bc); |
The function attempts to set up and configure a connection to the peer configured when the connection handle was obtained.
connection handle.
TRUE on success, FALSE on failure.
int bro_conn_alive (const BroConn *bc); |
This predicate reports whether the connection handle is currently usable for
sending/receiving data or not, e.g. because the peer died. Note that the
connection is also dead after the connection handle is obtained and
before bro_conn_connect() is called.
Bro connection handle.
TRUE if the connection is alive, FALSE otherwise.
int bro_conn_delete (BroConn *bc); |
This function will terminate the given connection if necessary and release all resources associated with the connection handle.
Bro connection handle
FALSE on error, TRUE otherwise.
void bro_conn_adopt_events (BroConn *src,
BroConn *dst); |
The function makes the connection identified by dst use the same event mask as the one identified by src.
Bro connection handle for connection whose event list to adopt.
Bro connection handle for connection whose event list to change.
int bro_conn_get_fd (BroConn *bc); |
If you need to know the file descriptor of the connection
(such as when select()
Bro connection handle.
file descriptor for connection bc, or negative value on error.
int bro_conn_process_input (BroConn *bc); |
The function reads all input sent to the local sensor by the Bro peering at the connection identified by bc. It is up to you to find a spot in the application you're instrumenting to make sure this is called. This function cannot block.
Bro connection handle
TRUE if any input was processed, FALSE otherwise.
void bro_conn_data_set (BroConn *bc,
const char *key,
void *val); |
The function stores val under name key in the connection handle bc. key is copied internally so you do not need to duplicate it before passing.
Bro connection handle.
name of the data item.
data item.
void* bro_conn_data_get (BroConn *bc,
const char *key); |
The function tries to look up the data item with name key and if found, returns it.
Bro connection handle.
name of the data item.
void* bro_conn_data_del (BroConn *bc,
const char *key); |
The function tries to remove the data item with name key.
Bro connection handle.
name of the data item.
BroEvent* bro_event_new (const char *event_name); |
The function creates a new empty event with the given name and returns it.
name of the Bro event.
new event, or NULL if allocation failed.
void bro_event_free (BroEvent *be); |
The function releases all memory associated with be. Note that you do NOT have to call this after sending an event.
event to release.
int bro_event_add_val (BroEvent *be,
int type,
const char *type_name,
const void *val); |
The function adds the given val to the argument list of event be. The type of val is derived from type, and may be specialized to the type named type_name. If type_name is not desired, use NULL.
event to add to.
numerical type identifier (a BRO_TYPE_xxx constant).
optional name of specialized type.
value to add to event.
TRUE if the operation was successful, FALSE otherwise.
int bro_event_set_val (BroEvent *be,
int val_num,
int type,
const char *type_name,
const void *val); |
The function replaces whatever value is currently stored in the event pointed to by be with the val specified through the type and val arguments. If the event does not currently hold enough values to replace one in position val_num, the function does nothing. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.
event handle.
number of the value to replace, starting at 0.
numerical type identifier (a BRO_TYPE_xxx constant).
optional name of specialized type.
value to put in.
TRUE if successful, FALSE on error.
int bro_event_send (BroConn *bc,
BroEvent *be); |
The function tries to send be to the Bro agent connected
through bc. Regardless of the outcome, you do NOT have
to release the event afterwards using bro_event_free().
Bro connection handle
event to send.
TRUE if the event got sent or queued for later transmission,
FALSE on error. There are no automatic repeated send attempts
(to minimize the effect on the code that Broccoli is linked to).
If you have to make sure that everything got sent, you have
to try to empty the queue using bro_event_queue_flush(), and
also look at bro_event_queue_empty()
int bro_event_queue_length (BroConn *bc); |
Use this function to find out how many events are currently queued on the client side.
Bro connection handle
number of items currently queued.
int bro_event_queue_flush (BroConn *bc); |
The function tries to send as many queued events to the Bro agent as possible.
Bro connection handle
remaining queue length after flush.
void bro_event_registry_add (BroConn *bc,
const char *event_name,
BroEventFunc func,
void *user_data); |
This function registers the callback func to be invoked when events of name event_name arrive on connection bc. user_data is passed along to the callback, which will receive it as the second parameter. You need to ensure that the memory user_data points to is valid during the time the callback might be invoked.
Note that this function only registers the callback in the state
associated with bc. If you use bro_event_registry_add() and bc
has not yet been connected via bro_conn_connect(), then no further
action is required. bro_conn_connect() request ant registered event types.
If however you are requesting additional event types after the connection has
been established, then you also need to call bro_event_registry_request()
in order to signal to the peering Bro that you want to receive those events.
Bro connection handle
Name of events that trigger callback
callback to invoke.
user data passed through to the callback.
void bro_event_registry_remove (BroConn *bc,
const char *event_name); |
The function removes all callbacks for event event_name from the event registry for connection bc.
Bro connection handle
event to ignore from now on.
void bro_event_registry_request (BroConn *bc); |
The function requests the events you have previously requested using
bro_event_registry_add() from the Bro listening on bc.
Bro connection handle
BroBuf* bro_buf_new (void); |
a new buffer object, or NULL on error. Use paired with
bro_buf_free().
void bro_buf_free (BroBuf *buf); |
The function releases all memory held by the buffer pointed
to by buf. Use paired with bro_buf_new().
buffer pointer.
int bro_buf_append (BroBuf *buf,
void *data,
int data_len); |
The function appends data to the end of the buffer,
enlarging it if necessary to hold the len new bytes.
NOTE: it does not modify the buffer pointer. It only
appends new data where buf_off is currently pointing
and updates it accordingly. If you DO want the buffer
pointer to be updated, have a look at bro_buf_ptr_write()
instead.
buffer pointer.
new data to append to buffer.
size of data.
TRUE if successful, FALSE otherwise.
void bro_buf_consume (BroBuf *buf); |
The function removes the buffer contents between the start
of the buffer and the point where the buffer pointer
currently points to. The idea is that you call bro_buf_ptr_read()
a few times to extract data from the buffer, and then
call bro_buf_consume() to signal to the buffer that the
extracted data are no longer needed inside the buffer.
buffer pointer.
void bro_buf_reset (BroBuf *buf); |
The function resets the buffer pointers to the beginning of the currently allocated buffer, i.e., it marks the buffer as empty.
buffer pointer.
uchar* bro_buf_get (BroBuf *buf); |
buffer pointer.
the entire buffer's contents.
uchar* bro_buf_get_end (BroBuf *buf); |
buffer pointer.
a pointer to the first byte in the buffer that is not currently used.
uint bro_buf_get_size (BroBuf *buf); |
buffer pointer.
the number of actual bytes allocated for the buffer.
uint bro_buf_get_used_size (BroBuf *buf); |
buffer pointer.
number of bytes currently used.
uchar* bro_buf_ptr_get (BroBuf *buf); |
buffer pointer.
current buffer content pointer.
uint32 bro_buf_ptr_tell (BroBuf *buf); |
buffer pointer.
current offset of buffer content pointer.
int bro_buf_ptr_seek (BroBuf *buf,
int offset,
int whence); |
The function adjusts the position of buf's content
pointer. Call semantics are identical to fseek()
buffer pointer.
number of bytes by which to adjust pointer, positive or negative.
location relative to which to adjust.
TRUE if adjustment could be made, FALSE if not (e.g. because the offset requested is not within legal bounds).
int bro_buf_ptr_check (BroBuf *buf,
int size); |
The function checks whether size bytes could be read from the
buffer using bro_buf_ptr_read().
buffer pointer.
number of bytes to check for availability.
TRUE if size bytes can be read, FALSE if not.
int bro_buf_ptr_read (BroBuf *buf,
void *data,
int size); |
The function copies size bytes into data if the buffer
has size bytes available from the current location of
the buffer content pointer onward, incrementing the content
pointer accordingly. If not, the function doesn't do anything.
It behaves thus different from the normal read()
buffer pointer.
destination area.
number of bytes to copy into data.
TRUE if size bytes were copied, FALSE if not.
int bro_buf_ptr_write (BroBuf *buf,
void *data,
int size); |
The function writes size bytes of the area pointed to by data into the buffer buf at the current location of its content pointer, adjusting the content pointer accordingly. If the buffer doesn't have enough space to receive size bytes, more space is allocated.
buffer pointer.
data to write.
number of bytes to copy into data.
TRUE if size bytes were copied, FALSE if an error occurred and the bytes could not be copied.
int bro_conf_get_int (const char *val_name,
int *val); |
The function tries to find an integer item named val_name in the configuration. If it is found, its value is placed into the int pointed to by val.
key name for the value.
result pointer for the value.
TRUE if val_name was found, FALSE otherwise.
int bro_conf_get_dbl (const char *val_name,
double *val); |
The function tries to find a double float item named val_name in the configuration. If it is found, its value is placed into the double pointed to by val.
key name for the value.
result pointer for the value.
TRUE if val_name was found, FALSE otherwise.
const char* bro_conf_get_str (const char *val_name); |
The function tries to find a string item named val_name in the configuration.
key name for the value.
the config item if val_name was found, NULL otherwise.
A returned string is stored internally and not to be modified. If
you need to keep it around, strdup()
void bro_conf_set_domain (const char *domain); |
Broccoli's config files are divided into sections. At the beginning of each config file you can have an unnamed section that will be used by default. Case is irrelevant. By passing NULL for domain, you select the default domain, otherwise the one that matches domain. domain is copied internally.
name of the domain, or NULL.
void bro_string_init (BroString *bs); |
The function initializes the BroString pointed to by bs. Use this function before using the members of a BroString you're using on the stack.
string pointer.
int bro_string_set (BroString *bs,
const char *s); |
The function initializes the BroString pointed to by bs to the string
given in s. s's content is copied, so you can modify or free s
after calling this, and you need to call bro_sting_cleanup()
string pointer.
C ASCII string.
TRUE is successful, FALSE otherwise.
int bro_string_set_data (BroString *bs,
const uchar *data,
int data_len); |
The function initializes the BroString pointed to by bs to data_len bytes starting at data. data's content is copied, so you can modify or free data after calling this.
string pointer.
arbitrary data.
length of data.
TRUE is successful, FALSE otherwise.
const uchar* bro_string_get_data (const BroString *bs); |
The function returns a pointer to the string's internal data. You
can copy out the string using this function in combination with
bro_string_get_length(), for obtaining the string's length.
string pointer.
pointer to string, or NULL on error.
uint32 bro_string_get_length (const BroString *bs); |
string pointer.
the string's length.
BroString* bro_string_copy (BroString *bs); |
string pointer.
a deep copy of the BroString pointed to by bs, or NULL on error.
void bro_string_cleanup (BroString *bs); |
This function releases all contents claimed by the BroString pointed
to by bs, without releasing that BroString structure itself. Use
this when manipulating a BroString on the stack, paired with
bro_string_init().
string pointer.
void bro_string_free (BroString *bs); |
This function releases the entire BroString pointed to by bs, including the BroString structure itself.
string pointer.
BroRecord* bro_record_new (void); |
The function allocates and initializes a new empty record. BroRecords are used for adding and retrieving records vals to/from events. You do not have to specify a record type separately when you create a record. The type is defined implicitly by the sequence of types formed by the sequence of vals added to the record, along with the names for each val. See the manual for details.
a new record, or NULL on error.
void bro_record_free (BroRecord *rec); |
The function releases all memory consumed by the record pointed to by rec.
record handle.
int bro_record_add_val (BroRecord *rec,
const char *name,
int type,
const char *type_name,
const void *val); |
The function adds a new field to the record pointed to by rec and assigns the value passed in to that field. The field name is given in name, the type of the val is given in type and must be one of the BRO_TYPE_xxx constants defined in broccoli.h. The type you give implies what data type val must be pointing to; see the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name. It is possible to leave fields unassigned, in that case, pass in NULL for val.
record handle.
field name of the added val.
numerical type tag of the new val.
optional name of specialized type.
pointer to the new val*.
TRUE on success, FALSE on error.
void* bro_record_get_nth_val (BroRecord *rec,
int num,
int type); |
The function returns the num'th value of the record pointed to by rec, expected to be of type. The returned value is internal and needs to be duplicated if you want to keep it around. type signals what type is expected. See the manual for details.
record handle.
field index, starting from 0.
expected type of the value.
void* bro_record_get_named_val (BroRecord *rec,
const char *name,
int type); |
The function returns the value of the field named name in the record pointed to by rec. The returned value is internal and needs to be duplicated if you want to keep it around. type signals what kind of type is expected. See the manual for details.
record handle.
field name.
expected type of the value.
int bro_record_set_nth_val (BroRecord *rec,
int num,
int type,
const char *type_name,
const void *val); |
The function replaces the num'th value of the record pointed to by rec, expected to be of type. All values are copied internally so what val points to stays unmodified. The value of type implies what result must be pointing to. See the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.
record handle.
field index, starting from 0.
expected type of the value.
optional name of specialized type.
pointer to new val.
TRUE on success, FALSE on error.
int bro_record_set_named_val (BroRecord *rec,
const char *name,
int type,
const char *type_name,
const void *val); |
The function replaces the value named name in the record pointed to by rec, expected to be of type. All values are copied internally so what val points to stays unmodified. The value of type implies what result must be pointing to. See the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.
record handle.
field name.
expected type of the value.
optional name of specialized type.
pointer to new val.
TRUE on success, FALSE on error.
void bro_conn_set_packet_ctxt (BroConn *bc,
int link_type); |
The function sets the packet context for bc for future BroPackets handled by this connection.
connection handle.
libpcap DLT linklayer type.
void bro_conn_get_packet_ctxt (BroConn *bc,
int *link_type); |
The function returns bc's current packet context through link_type.
connection handle.
result pointer for libpcap DLT linklayer type.
BroPacket* bro_packet_new (const struct pcap_pkthdr *hdr,
const u_char *data,
const char *tag); |
The function creates a new BroPacket by copying hdr and data internally.
Release the resulting packet using bro_packet_free().
pointer to libpcap packet header.
pointer to libpcap packet data.
pointer to ASCII tag (0 for no tag).
BroPacket* bro_packet_clone (const BroPacket *packet); |
packet to clone.
a copy of packet, or NULL on error.
void bro_packet_free (BroPacket *packet); |
The function releases all memory occupied by a packet previously allocated
using bro_packet_new().
packet to release.
int bro_packet_send (BroConn *bc,
BroPacket *packet); |
The function sends packet to the Bro peer connected via bc.
connection on which to send packet.
packet to send.
TRUE if successful, FALSE otherwise.
double bro_util_current_time (void); |
the current system time as a double, in seconds, suitable
for passing to bro_event_add_time()