Broccoli API Documentation  1.100-9
Broccoli API Documentation
Data Structures | Macros | Typedefs | Functions | Variables
broccoli.h File Reference
#include <inttypes.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <openssl/crypto.h>
#include <pcap.h>

Go to the source code of this file.

Data Structures

struct  bro_ctx
 Initialization context for the Broccoli library. More...
 
struct  bro_conn_stats
 Statistical properties of a given connection. More...
 
struct  bro_string
 BroStrings are used to access string parameters in received events. More...
 
struct  bro_port
 Ports in Broccoli do not only consist of a number but also indicate whether they are TCP or UDP. More...
 
struct  bro_addr
 IP addresses are 16-bytes in network byte order. More...
 
struct  bro_subnet
 Subnets are a 16-byte address with a prefix width in bits. More...
 
struct  bro_ev_arg
 Encapsulation of arguments passed to an event callback, for the compact style of argument passing. More...
 
struct  bro_ev_meta
 Metadata for an event, passed to callbacks of the BroCompactEventFunc prototype. More...
 
struct  bro_packet
 Broccoli can send and receive pcap-captured packets, wrapped into the following structure: More...
 

Macros

#define FALSE   (0)
 
#define TRUE   (!FALSE)
 
#define BRO_TYPE_UNKNOWN   0
 BRO_TYPE_UNKNOWN is not used in the data exchange, see bro_record_get_{nth,named}_val() for its use. More...
 
#define BRO_TYPE_BOOL   1
 
#define BRO_TYPE_INT   2
 
#define BRO_TYPE_COUNT   3
 
#define BRO_TYPE_COUNTER   4
 
#define BRO_TYPE_DOUBLE   5
 
#define BRO_TYPE_TIME   6
 
#define BRO_TYPE_INTERVAL   7
 
#define BRO_TYPE_STRING   8
 
#define BRO_TYPE_PATTERN   9
 
#define BRO_TYPE_ENUM   10
 
#define BRO_TYPE_TIMER   11
 
#define BRO_TYPE_PORT   12
 
#define BRO_TYPE_IPADDR   13
 
#define BRO_TYPE_SUBNET   14
 
#define BRO_TYPE_ANY   15
 
#define BRO_TYPE_TABLE   16
 
#define BRO_TYPE_UNION   17
 
#define BRO_TYPE_RECORD   18
 
#define BRO_TYPE_LIST   19
 
#define BRO_TYPE_FUNC   20
 
#define BRO_TYPE_FILE   21
 
#define BRO_TYPE_VECTOR   22
 
#define BRO_TYPE_ERROR   23
 
#define BRO_TYPE_PACKET   24 /* CAUTION -- not defined in Bro! */
 
#define BRO_TYPE_SET   25 /* CAUTION -- not defined in Bro! */
 
#define BRO_TYPE_MAX   26
 
#define BRO_CFLAG_NONE   0
 
#define BRO_CFLAG_RECONNECT   (1 << 0)
 Attempt transparent reconnects. More...
 
#define BRO_CFLAG_ALWAYS_QUEUE   (1 << 1)
 Queue events sent while disconnected. More...
 
#define BRO_CFLAG_SHAREABLE   (1 << 2)
 DO NOT USE – no longer supported. More...
 
#define BRO_CFLAG_DONTCACHE   (1 << 3)
 Ask peer not to use I/O cache (default) More...
 
#define BRO_CFLAG_YIELD   (1 << 4)
 Process just one event at a time. More...
 
#define BRO_CFLAG_CACHE   (1 << 5)
 Ask peer to use I/O cache. More...
 
#define BRO_PCAP_SUPPORT
 

Typedefs

typedef uint64_t uint64
 
typedef uint32_t uint32
 
typedef uint16_t uint16
 
typedef uint8_t uint8
 
typedef unsigned char uchar
 
typedef struct bro_conn BroConn
 
typedef struct bro_event BroEvent
 
typedef struct bro_buf BroBuf
 
typedef struct bro_record BroRecord
 
typedef struct bro_table BroTable
 
typedef struct bro_table BroSet
 
typedef struct bro_vector BroVector
 
typedef struct bro_ev_meta BroEvMeta
 
typedef struct bro_packet BroPacket
 
typedef void(* BroEventFunc) (BroConn *bc, void *user_data,...)
 BroEventFunc - The signature of expanded event callbacks. More...
 
typedef void(* BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta)
 BroCompactEventFunc - The signature of compact event callbacks. More...
 
typedef void(* BroPacketFunc) (BroConn *bc, void *user_data, const BroPacket *packet)
 
typedef void(* OpenSSL_lock_func) (int mode, int n, const char *file, int line)
 OpenSSL_lockfunc - locking function for OpenSSL thread safeness. More...
 
typedef unsigned long(* OpenSSL_thread_id_func) (void)
 OpenSSL_thread_id_func - thread ID function for OpenSSL thread safeness. More...
 
typedef struct CRYPTO_dynlock_value *(* OpenSSL_dynlock_create_func) (const char *file, int line)
 OpenSSL_dynlock_create_func - allocator for dynamic locks, for OpenSSL thread safeness. More...
 
typedef void(* OpenSSL_dynlock_lock_func) (int mode, struct CRYPTO_dynlock_value *mutex, const char *file, int line)
 OpenSSL_dynlock_lock_func - lock/unlock dynamic locks, for OpenSSL thread safeness. More...
 
typedef void(* OpenSSL_dynlock_free_func) (struct CRYPTO_dynlock_value *mutex, const char *file, int line)
 OpenSSL_dynlock_free_func - dynamic lock deallocator, for OpenSSL thread safeness. More...
 
typedef struct bro_ctx BroCtx
 Initialization context for the Broccoli library. More...
 
typedef struct bro_conn_stats BroConnStats
 Statistical properties of a given connection. More...
 
typedef struct bro_string BroString
 BroStrings are used to access string parameters in received events. More...
 
typedef struct bro_port BroPort
 Ports in Broccoli do not only consist of a number but also indicate whether they are TCP or UDP. More...
 
typedef struct bro_addr BroAddr
 IP addresses are 16-bytes in network byte order. More...
 
typedef struct bro_subnet BroSubnet
 Subnets are a 16-byte address with a prefix width in bits. More...
 
typedef struct bro_ev_arg BroEvArg
 Encapsulation of arguments passed to an event callback, for the compact style of argument passing. More...
 
typedef int(* BroTableCallback) (void *key, void *val, void *user_data)
 BroTableCallback - The signature of callbacks for iterating over tables. More...
 
typedef int(* BroSetCallback) (void *val, void *user_data)
 BroTableCallback - The signature of callbacks for iterating over sets. More...
 

Functions

int bro_init (const BroCtx *ctx)
 bro_init - Initializes the library. More...
 
void bro_ctx_init (BroCtx *ctx)
 bro_ctx_init - Initializes initialization context to default values. More...
 
BroConnbro_conn_new (struct in_addr *ip_addr, uint16 port, int flags)
 bro_conn_new - Creates and returns a handle for a connection to a remote Bro. More...
 
BroConnbro_conn_new6 (struct in6_addr *ip_addr, uint16 port, int flags)
 bro_conn_new6 - Creates and returns a handle for a connection to a remote Bro. More...
 
BroConnbro_conn_new_str (const char *hostname, int flags)
 bro_conn_new_str - Same as bro_conn_new(), but accepts strings for hostname and port. More...
 
BroConnbro_conn_new_socket (int socket, int flags)
 bro_conn_new_socket - Same as bro_conn_new(), but uses existing socket. More...
 
void bro_conn_set_class (BroConn *bc, const char *classname)
 bro_conn_set_class - Sets a connection's class identifier. More...
 
const char * bro_conn_get_peer_class (const BroConn *bc)
 bro_conn_get_peer_class - Reports connection class indicated by peer. More...
 
void bro_conn_get_connstats (const BroConn *bc, BroConnStats *cs)
 bro_conn_get_connstats - Reports connection properties. More...
 
int bro_conn_connect (BroConn *bc)
 bro_conn_connect - Establish connection to peer. More...
 
int bro_conn_reconnect (BroConn *bc)
 bro_conn_reconnect - Drop the current connection and reconnect, reusing all settings. More...
 
int bro_conn_delete (BroConn *bc)
 bro_conn_delete - terminates and releases connection. More...
 
int bro_conn_alive (const BroConn *bc)
 bro_conn_alive - Reports whether a connection is currently alive or has died. More...
 
void bro_conn_adopt_events (BroConn *src, BroConn *dst)
 bro_conn_adopt_events - Makes one connection send out the same events as another. More...
 
int bro_conn_get_fd (BroConn *bc)
 bro_conn_get_fd - Returns file descriptor of a Bro connection. More...
 
int bro_conn_process_input (BroConn *bc)
 bro_conn_process_input - Processes input sent to the sensor by Bro. More...
 
void bro_conn_data_set (BroConn *bc, const char *key, void *val)
 bro_conn_data_set - Puts a data item into the registry. More...
 
void * bro_conn_data_get (BroConn *bc, const char *key)
 bro_conn_data_get - Looks up a data item. More...
 
void * bro_conn_data_del (BroConn *bc, const char *key)
 bro_conn_data_del - Removes a data item. More...
 
BroEventbro_event_new (const char *event_name)
 bro_event_new - Creates a new empty event with a given name. More...
 
void bro_event_free (BroEvent *be)
 bro_event_free - Releases all memory associated with an event. More...
 
int bro_event_add_val (BroEvent *be, int type, const char *type_name, const void *val)
 bro_event_add_val - Adds a parameter to an event. More...
 
int bro_event_set_val (BroEvent *be, int val_num, int type, const char *type_name, const void *val)
 bro_event_set_val - Replace a value in an event. More...
 
int bro_event_send (BroConn *bc, BroEvent *be)
 bro_event_send - Tries to send an event to a Bro agent. More...
 
int bro_event_send_raw (BroConn *bc, const uchar *data, int data_len)
 bro_event_send_raw - Enqueues a serialized event directly into a connection's send buffer. More...
 
int bro_event_queue_length (BroConn *bc)
 bro_event_queue_length - Returns current queue length. More...
 
int bro_event_queue_length_max (BroConn *bc)
 bro_event_queue_length_max - Returns maximum queue length. More...
 
int bro_event_queue_flush (BroConn *bc)
 bro_event_queue_flush - Tries to flush the send queue of a connection. More...
 
void bro_event_registry_add (BroConn *bc, const char *event_name, BroEventFunc func, void *user_data)
 bro_event_registry_add - Adds an expanded-argument event callback to the event registry. More...
 
void bro_event_registry_add_compact (BroConn *bc, const char *event_name, BroCompactEventFunc func, void *user_data)
 bro_event_registry_add_compact - Adds a compact-argument event callback to the event registry. More...
 
void bro_event_registry_remove (BroConn *bc, const char *event_name)
 bro_event_registry_remove - Removes an event handler. More...
 
void bro_event_registry_request (BroConn *bc)
 bro_event_registry_request - Notifies peering Bro to send events. More...
 
BroBufbro_buf_new (void)
 bro_buf_new - Creates a new buffer object. More...
 
void bro_buf_free (BroBuf *buf)
 bro_buf_free - Releases a dynamically allocated buffer object. More...
 
int bro_buf_append (BroBuf *buf, void *data, int data_len)
 bro_buf_append - appends data to the end of the buffer. More...
 
void bro_buf_consume (BroBuf *buf)
 bro_buf_consume - shrinks the buffer. More...
 
void bro_buf_reset (BroBuf *buf)
 bro_buf_reset - resets the buffer. More...
 
ucharbro_buf_get (BroBuf *buf)
 bro_buf_get - Returns pointer to actual start of buffer. More...
 
ucharbro_buf_get_end (BroBuf *buf)
 bro_buf_get_end - Returns pointer to the end of the buffer. More...
 
uint bro_buf_get_size (BroBuf *buf)
 bro_buf_get_size - Returns number of bytes allocated for buffer. More...
 
uint bro_buf_get_used_size (BroBuf *buf)
 bro_buf_get_used_size - Returns number of bytes currently used. More...
 
ucharbro_buf_ptr_get (BroBuf *buf)
 bro_buf_ptr_get - Returns current buffer content pointer. More...
 
uint32 bro_buf_ptr_tell (BroBuf *buf)
 bro_buf_ptr_tell - Returns current offset of buffer content pointer. More...
 
int bro_buf_ptr_seek (BroBuf *buf, int offset, int whence)
 bro_buf_ptr_seek - Adjusts buffer content pointer. More...
 
int bro_buf_ptr_check (BroBuf *buf, int size)
 bro_buf_ptr_check - Checks whether a number of bytes can be read. More...
 
int bro_buf_ptr_read (BroBuf *buf, void *data, int size)
 bro_buf_ptr_read - Extracts a number of bytes from buffer. More...
 
int bro_buf_ptr_write (BroBuf *buf, void *data, int size)
 bro_buf_ptr_write - Writes a number of bytes into buffer. More...
 
void bro_conf_set_domain (const char *domain)
 bro_conf_set_domain - Sets the current domain to use in a config file. More...
 
int bro_conf_get_int (const char *val_name, int *val)
 bro_conf_get_int - Retrieves an integer from the configuration. More...
 
int bro_conf_get_dbl (const char *val_name, double *val)
 bro_conf_get_dbl - Retrieves a double float from the configuration. More...
 
const char * bro_conf_get_str (const char *val_name)
 bro_conf_get_str - Retrieves an integer from the configuration. More...
 
void bro_string_init (BroString *bs)
 bro_string_init - Initializes an existing string structure. More...
 
int bro_string_set (BroString *bs, const char *s)
 bro_string_set - Sets a BroString's contents. More...
 
int bro_string_set_data (BroString *bs, const uchar *data, int data_len)
 bro_string_set_data - Sets a BroString's contents. More...
 
const ucharbro_string_get_data (const BroString *bs)
 bro_string_get_data - Returns pointer to the string data. More...
 
uint32 bro_string_get_length (const BroString *bs)
 bro_string_get_length - Returns string's length. More...
 
BroStringbro_string_copy (BroString *bs)
 bro_string_copy - Duplicates a BroString. More...
 
void bro_string_assign (BroString *src, BroString *dst)
 bro_string_assign - Duplicates a BroString's content, assigning it to an existing one. More...
 
void bro_string_cleanup (BroString *bs)
 bro_string_cleanup - Cleans up existing BroString. More...
 
void bro_string_free (BroString *bs)
 bro_string_free - Cleans up dynamically allocated BroString. More...
 
BroRecordbro_record_new (void)
 bro_record_new - Creates a new record. More...
 
void bro_record_free (BroRecord *rec)
 bro_record_free - Releases a record. More...
 
int bro_record_get_length (BroRecord *rec)
 bro_record_get_length - Returns number of fields in record. More...
 
int bro_record_add_val (BroRecord *rec, const char *name, int type, const char *type_name, const void *val)
 bro_record_add_val - Adds a value to a record. More...
 
void * bro_record_get_nth_val (BroRecord *rec, int num, int *type)
 bro_record_get_nth_val - Retrieves a value from a record by field index. More...
 
const char * bro_record_get_nth_name (BroRecord *rec, int num)
 bro_record_get_nth_name - Retrieves a name from a record by field index. More...
 
void * bro_record_get_named_val (BroRecord *rec, const char *name, int *type)
 bro_record_get_named_val - Retrieves a value from a record by field name. More...
 
int bro_record_set_nth_val (BroRecord *rec, int num, int type, const char *type_name, const void *val)
 bro_record_set_nth_val - Replaces a value in a record, identified by field index. More...
 
int bro_record_set_named_val (BroRecord *rec, const char *name, int type, const char *type_name, const void *val)
 bro_record_set_named_val - Replaces a value in a record, identified by name. More...
 
BroTablebro_table_new (void)
 
void bro_table_free (BroTable *tbl)
 
int bro_table_insert (BroTable *tbl, int key_type, const void *key, int val_type, const void *val)
 
void * bro_table_find (BroTable *tbl, const void *key)
 
int bro_table_get_size (BroTable *tbl)
 
void bro_table_foreach (BroTable *tbl, BroTableCallback cb, void *user_data)
 
void bro_table_get_types (BroTable *tbl, int *key_type, int *val_type)
 
BroSetbro_set_new (void)
 
void bro_set_free (BroSet *set)
 
int bro_set_insert (BroSet *set, int type, const void *val)
 
int bro_set_find (BroSet *set, const void *key)
 
int bro_set_get_size (BroSet *set)
 
void bro_set_foreach (BroSet *set, BroSetCallback cb, void *user_data)
 
void bro_set_get_type (BroSet *set, int *type)
 
BroVectorbro_vector_new (void)
 bro_vector_new - Creates a new vector. More...
 
void bro_vector_free (BroVector *vec)
 bro_vector_free - Releases a vector. More...
 
int bro_vector_get_length (BroVector *vec)
 bro_vector_get_length - Returns number of elements in vector. More...
 
int bro_vector_add_val (BroVector *vec, int type, const char *type_name, const void *val)
 bro_vector_add_val - Adds a value to a vector. More...
 
void * bro_vector_get_nth_val (BroVector *vec, int num, int *type)
 bro_vector_get_nth_val - Retrieves a value from a vector by index. More...
 
int bro_vector_set_nth_val (BroVector *vec, int num, int type, const char *type_name, const void *val)
 bro_vector_set_nth_val - Replaces a value in a vector, identified by index. More...
 
void bro_conn_set_packet_ctxt (BroConn *bc, int link_type)
 bro_conn_set_packet_ctxt - Sets current packet context for connection. More...
 
void bro_conn_get_packet_ctxt (BroConn *bc, int *link_type)
 bro_conn_get_packet_ctxt - Gets current packet context for connection. More...
 
BroPacketbro_packet_new (const struct pcap_pkthdr *hdr, const u_char *data, const char *tag)
 bro_packet_new - Creates a new packet. More...
 
BroPacketbro_packet_clone (const BroPacket *packet)
 bro_packet_clone - Clones a packet. More...
 
void bro_packet_free (BroPacket *packet)
 bro_packet_free - Releases a packet. More...
 
int bro_packet_send (BroConn *bc, BroPacket *packet)
 bro_packet_send - Sends a packet over a given connection. More...
 
double bro_util_current_time (void)
 bro_util_current_time - Gets current time. More...
 
double bro_util_timeval_to_double (const struct timeval *tv)
 bro_util_timeval_to_double - Converts timeval struct to double. More...
 
int bro_util_is_v4_addr (const BroAddr *a)
 bro_util_is_v4_addr - Checks if an address is IPv4. More...
 

Variables

int bro_debug_calltrace
 bro_debug_calltrace - Debugging output switch for call tracing. More...
 
int bro_debug_messages
 bro_debug_messages - Output switch for debugging messages. More...
 
const uint8 BRO_IPV4_MAPPED_PREFIX [12]
 The standard 12-byte prefix of a 16-byte IPv6 address that indicates it's a mapped IPv4 address. More...
 

Macro Definition Documentation

◆ BRO_CFLAG_ALWAYS_QUEUE

#define BRO_CFLAG_ALWAYS_QUEUE   (1 << 1)

Queue events sent while disconnected.

◆ BRO_CFLAG_CACHE

#define BRO_CFLAG_CACHE   (1 << 5)

Ask peer to use I/O cache.

◆ BRO_CFLAG_DONTCACHE

#define BRO_CFLAG_DONTCACHE   (1 << 3)

Ask peer not to use I/O cache (default)

◆ BRO_CFLAG_NONE

#define BRO_CFLAG_NONE   0

◆ BRO_CFLAG_RECONNECT

#define BRO_CFLAG_RECONNECT   (1 << 0)

Attempt transparent reconnects.

◆ BRO_CFLAG_SHAREABLE

#define BRO_CFLAG_SHAREABLE   (1 << 2)

DO NOT USE – no longer supported.

◆ BRO_CFLAG_YIELD

#define BRO_CFLAG_YIELD   (1 << 4)

Process just one event at a time.

◆ BRO_PCAP_SUPPORT

#define BRO_PCAP_SUPPORT

◆ BRO_TYPE_ANY

#define BRO_TYPE_ANY   15

◆ BRO_TYPE_BOOL

#define BRO_TYPE_BOOL   1

◆ BRO_TYPE_COUNT

#define BRO_TYPE_COUNT   3

◆ BRO_TYPE_COUNTER

#define BRO_TYPE_COUNTER   4

◆ BRO_TYPE_DOUBLE

#define BRO_TYPE_DOUBLE   5

◆ BRO_TYPE_ENUM

#define BRO_TYPE_ENUM   10

◆ BRO_TYPE_ERROR

#define BRO_TYPE_ERROR   23

◆ BRO_TYPE_FILE

#define BRO_TYPE_FILE   21

◆ BRO_TYPE_FUNC

#define BRO_TYPE_FUNC   20

◆ BRO_TYPE_INT

#define BRO_TYPE_INT   2

◆ BRO_TYPE_INTERVAL

#define BRO_TYPE_INTERVAL   7

◆ BRO_TYPE_IPADDR

#define BRO_TYPE_IPADDR   13

◆ BRO_TYPE_LIST

#define BRO_TYPE_LIST   19

◆ BRO_TYPE_MAX

#define BRO_TYPE_MAX   26

◆ BRO_TYPE_PACKET

#define BRO_TYPE_PACKET   24 /* CAUTION -- not defined in Bro! */

◆ BRO_TYPE_PATTERN

#define BRO_TYPE_PATTERN   9

◆ BRO_TYPE_PORT

#define BRO_TYPE_PORT   12

◆ BRO_TYPE_RECORD

#define BRO_TYPE_RECORD   18

◆ BRO_TYPE_SET

#define BRO_TYPE_SET   25 /* CAUTION -- not defined in Bro! */

◆ BRO_TYPE_STRING

#define BRO_TYPE_STRING   8

◆ BRO_TYPE_SUBNET

#define BRO_TYPE_SUBNET   14

◆ BRO_TYPE_TABLE

#define BRO_TYPE_TABLE   16

◆ BRO_TYPE_TIME

#define BRO_TYPE_TIME   6

◆ BRO_TYPE_TIMER

#define BRO_TYPE_TIMER   11

◆ BRO_TYPE_UNION

#define BRO_TYPE_UNION   17

◆ BRO_TYPE_UNKNOWN

#define BRO_TYPE_UNKNOWN   0

BRO_TYPE_UNKNOWN is not used in the data exchange, see bro_record_get_{nth,named}_val() for its use.

◆ BRO_TYPE_VECTOR

#define BRO_TYPE_VECTOR   22

◆ FALSE

#define FALSE   (0)

◆ TRUE

#define TRUE   (!FALSE)

Typedef Documentation

◆ BroAddr

typedef struct bro_addr BroAddr

IP addresses are 16-bytes in network byte order.

IPv4 addresses use the standard IPv4-in-IPv6 mapping: 10 bytes off, 2 bytes on, then 4 bytes of the address.

◆ BroBuf

typedef struct bro_buf BroBuf

◆ BroCompactEventFunc

typedef void(* BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta)

BroCompactEventFunc - The signature of compact event callbacks.

Parameters
bcBro connection handle.
user_datauser data provided to bro_event_registry_add_compact().
metametadata for the event.

This is the signature of callbacks for handling received Bro events, called in the compact-argument style. For details see bro_event_registry_add_compact().

◆ BroConn

typedef struct bro_conn BroConn

◆ BroConnStats

typedef struct bro_conn_stats BroConnStats

Statistical properties of a given connection.

◆ BroCtx

typedef struct bro_ctx BroCtx

Initialization context for the Broccoli library.

◆ BroEvArg

typedef struct bro_ev_arg BroEvArg

Encapsulation of arguments passed to an event callback, for the compact style of argument passing.

◆ BroEvent

typedef struct bro_event BroEvent

◆ BroEventFunc

typedef void(* BroEventFunc) (BroConn *bc, void *user_data,...)

BroEventFunc - The signature of expanded event callbacks.

Parameters
bcBro connection handle.
user_datauser data provided to bro_event_registry_add().
...varargs.

This is the signature of callbacks for handling received Bro events, called in the argument-expanded style. For details see bro_event_registry_add().

◆ BroEvMeta

typedef struct bro_ev_meta BroEvMeta

◆ BroPacket

typedef struct bro_packet BroPacket

◆ BroPacketFunc

typedef void(* BroPacketFunc) (BroConn *bc, void *user_data, const BroPacket *packet)

◆ BroPort

typedef struct bro_port BroPort

Ports in Broccoli do not only consist of a number but also indicate whether they are TCP or UDP.

◆ BroRecord

typedef struct bro_record BroRecord

◆ BroSet

typedef struct bro_table BroSet

◆ BroSetCallback

typedef int(* BroSetCallback) (void *val, void *user_data)

BroTableCallback - The signature of callbacks for iterating over sets.

Parameters
vala pointer to an element in the set.
user_datauser data passed through.

This is the signature of callbacks used when iterating over all elements stored in a BroSet.

Returns
TRUE if iteration should continue, FALSE if done.

◆ BroString

typedef struct bro_string BroString

BroStrings are used to access string parameters in received events.

◆ BroSubnet

typedef struct bro_subnet BroSubnet

Subnets are a 16-byte address with a prefix width in bits.

◆ BroTable

typedef struct bro_table BroTable

◆ BroTableCallback

typedef int(* BroTableCallback) (void *key, void *val, void *user_data)

BroTableCallback - The signature of callbacks for iterating over tables.

Parameters
keya pointer to the key of a key-value pair.
vala pointer to key's corresponding value.
user_datauser data passed through.

This is the signature of callbacks used when iterating over all elements stored in a BroTable.

Returns
TRUE if iteration should continue, FALSE if done.

◆ BroVector

typedef struct bro_vector BroVector

◆ OpenSSL_dynlock_create_func

typedef struct CRYPTO_dynlock_value*(* OpenSSL_dynlock_create_func) (const char *file, int line)

OpenSSL_dynlock_create_func - allocator for dynamic locks, for OpenSSL thread safeness.

Parameters
filefile from which OpenSSL invokes the callback.
lineline in file from which OpenSSL invokes the callback.

Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see the comments for OpenSSL_lockfunc().

◆ OpenSSL_dynlock_free_func

typedef void(* OpenSSL_dynlock_free_func) (struct CRYPTO_dynlock_value *mutex, const char *file, int line)

OpenSSL_dynlock_free_func - dynamic lock deallocator, for OpenSSL thread safeness.

Parameters
mutexlock to deallocate.
filefile from which OpenSSL invokes the callback.
lineline in file from which OpenSSL invokes the callback.

Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see the comments for OpenSSL_lockfunc().

◆ OpenSSL_dynlock_lock_func

typedef void(* OpenSSL_dynlock_lock_func) (int mode, struct CRYPTO_dynlock_value *mutex, const char *file, int line)

OpenSSL_dynlock_lock_func - lock/unlock dynamic locks, for OpenSSL thread safeness.

Parameters
modeacquire nth lock if (mode & CRYPTO_LOCK) is true, release otherwise.
mutexlock to lock/unlock.
filefile from which OpenSSL invokes the callback.
lineline in file from which OpenSSL invokes the callback.

Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see the comments for OpenSSL_lockfunc().

◆ OpenSSL_lock_func

typedef void(* OpenSSL_lock_func) (int mode, int n, const char *file, int line)

OpenSSL_lockfunc - locking function for OpenSSL thread safeness.

Parameters
modeacquire nth lock if (mode & CRYPTO_LOCK) is true, release otherwise.
nlock index. You need to support at least CRYPTO_num_locks().
filefile from which OpenSSL invokes the callback.
lineline in file from which OpenSSL invokes the callback.

If you are using Broccoli in a multithreaded environment, you need to use bro_init() with a BroCtx structure and use it to point at an implementation of this callback. Refer to pages 74ff in O'Reilly's OpenSSL book (by Viega et al.) for details. You could also look at

http://www.openssl.org/support/faq.html#PROG1 http://www.openssl.org/docs/crypto/threads.html

but you will only curse OpenSSL even more than you already do after reading those.

◆ OpenSSL_thread_id_func

typedef unsigned long(* OpenSSL_thread_id_func) (void)

OpenSSL_thread_id_func - thread ID function for OpenSSL thread safeness.

Parameters
idtarget pointer into which the current thread's numeric ID must be written.

Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see the comments for OpenSSL_lockfunc().

◆ uchar

typedef unsigned char uchar

◆ uint16

typedef uint16_t uint16

◆ uint32

typedef uint32_t uint32

◆ uint64

typedef uint64_t uint64

◆ uint8

typedef uint8_t uint8

Function Documentation

◆ bro_buf_append()

int bro_buf_append ( BroBuf buf,
void *  data,
int  data_len 
)

bro_buf_append - appends data to the end of the buffer.

Parameters
bufbuffer pointer.
datanew data to append to buffer.
data_lensize of data.

The function appends data to the end of the buffer, enlarging it if necessary to hold the len new bytes. NOTE: it does not modify the buffer pointer. It only appends new data where buf_off is currently pointing and updates it accordingly. If you DO want the buffer pointer to be updated, have a look at bro_buf_ptr_write() instead.

Returns
TRUE if successful, FALSE otherwise.

◆ bro_buf_consume()

void bro_buf_consume ( BroBuf buf)

bro_buf_consume - shrinks the buffer.

Parameters
bufbuffer pointer.

The function removes the buffer contents between the start of the buffer and the point where the buffer pointer currently points to. The idea is that you call bro_buf_ptr_read() a few times to extract data from the buffer, and then call bro_buf_consume() to signal to the buffer that the extracted data are no longer needed inside the buffer.

◆ bro_buf_free()

void bro_buf_free ( BroBuf buf)

bro_buf_free - Releases a dynamically allocated buffer object.

Parameters
bufbuffer pointer.

The function releases all memory held by the buffer pointed to by buf. Use paired with bro_buf_new().

◆ bro_buf_get()

uchar* bro_buf_get ( BroBuf buf)

bro_buf_get - Returns pointer to actual start of buffer.

Parameters
bufbuffer pointer.
Returns
the entire buffer's contents.

◆ bro_buf_get_end()

uchar* bro_buf_get_end ( BroBuf buf)

bro_buf_get_end - Returns pointer to the end of the buffer.

Parameters
bufbuffer pointer.
Returns
a pointer to the first byte in the buffer that is not currently used.

◆ bro_buf_get_size()

uint bro_buf_get_size ( BroBuf buf)

bro_buf_get_size - Returns number of bytes allocated for buffer.

Parameters
bufbuffer pointer.
Returns
the number of actual bytes allocated for the buffer.

◆ bro_buf_get_used_size()

uint bro_buf_get_used_size ( BroBuf buf)

bro_buf_get_used_size - Returns number of bytes currently used.

Parameters
bufbuffer pointer.
Returns
number of bytes currently used.

◆ bro_buf_new()

BroBuf* bro_buf_new ( void  )

bro_buf_new - Creates a new buffer object.

Returns
a new buffer object, or NULL on error. Use paired with bro_buf_free().

◆ bro_buf_ptr_check()

int bro_buf_ptr_check ( BroBuf buf,
int  size 
)

bro_buf_ptr_check - Checks whether a number of bytes can be read.

Parameters
bufbuffer pointer.
sizenumber of bytes to check for availability.

The function checks whether size bytes could be read from the buffer using bro_buf_ptr_read().

Returns
TRUE if size bytes can be read, FALSE if not.

◆ bro_buf_ptr_get()

uchar* bro_buf_ptr_get ( BroBuf buf)

bro_buf_ptr_get - Returns current buffer content pointer.

Parameters
bufbuffer pointer.
Returns
current buffer content pointer.

◆ bro_buf_ptr_read()

int bro_buf_ptr_read ( BroBuf buf,
void *  data,
int  size 
)

bro_buf_ptr_read - Extracts a number of bytes from buffer.

Parameters
bufbuffer pointer.
datadestination area.
sizenumber of bytes to copy into data.

The function copies size bytes into data if the buffer has size bytes available from the current location of the buffer content pointer onward, incrementing the content pointer accordingly. If not, the function doesn't do anything. It behaves thus different from the normal read() in that it either copies the amount requested or nothing.

Returns
TRUE if size bytes were copied, FALSE if not.

◆ bro_buf_ptr_seek()

int bro_buf_ptr_seek ( BroBuf buf,
int  offset,
int  whence 
)

bro_buf_ptr_seek - Adjusts buffer content pointer.

Parameters
bufbuffer pointer.
offsetnumber of bytes by which to adjust pointer, positive or negative.
whencelocation relative to which to adjust.

The function adjusts the position of buf's content pointer. Call semantics are identical to fseek(), thus use offset to indicate the offset by which to jump and use SEEK_SET, SEEK_CUR, or SEEK_END to specify the position relative to which to adjust.

Returns
TRUE if adjustment could be made, FALSE if not (e.g. because the offset requested is not within legal bounds).

◆ bro_buf_ptr_tell()

uint32 bro_buf_ptr_tell ( BroBuf buf)

bro_buf_ptr_tell - Returns current offset of buffer content pointer.

Parameters
bufbuffer pointer.
Returns
current offset of buffer content pointer.

◆ bro_buf_ptr_write()

int bro_buf_ptr_write ( BroBuf buf,
void *  data,
int  size 
)

bro_buf_ptr_write - Writes a number of bytes into buffer.

Parameters
bufbuffer pointer.
datadata to write.
sizenumber of bytes to copy into data.

The function writes size bytes of the area pointed to by data into the buffer buf at the current location of its content pointer, adjusting the content pointer accordingly. If the buffer doesn't have enough space to receive size bytes, more space is allocated.

Returns
TRUE if size bytes were copied, FALSE if an error occurred and the bytes could not be copied.

◆ bro_buf_reset()

void bro_buf_reset ( BroBuf buf)

bro_buf_reset - resets the buffer.

Parameters
bufbuffer pointer.

The function resets the buffer pointers to the beginning of the currently allocated buffer, i.e., it marks the buffer as empty.

◆ bro_conf_get_dbl()

int bro_conf_get_dbl ( const char *  val_name,
double *  val 
)

bro_conf_get_dbl - Retrieves a double float from the configuration.

Parameters
val_namekey name for the value.
valresult pointer for the value.

The function tries to find a double float item named val_name in the configuration. If it is found, its value is placed into the double pointed to by val.

Returns
TRUE if val_name was found, FALSE otherwise.

◆ bro_conf_get_int()

int bro_conf_get_int ( const char *  val_name,
int *  val 
)

bro_conf_get_int - Retrieves an integer from the configuration.

Parameters
val_namekey name for the value.
valresult pointer for the value.

The function tries to find an integer item named val_name in the configuration. If it is found, its value is placed into the int pointed to by val.

Returns
TRUE if val_name was found, FALSE otherwise.

◆ bro_conf_get_str()

const char* bro_conf_get_str ( const char *  val_name)

bro_conf_get_str - Retrieves an integer from the configuration.

Parameters
val_namekey name for the value.

The function tries to find a string item named val_name in the configuration.

Returns
the config item if val_name was found, NULL otherwise. A returned string is stored internally and not to be modified. If you need to keep it around, strdup() it.

◆ bro_conf_set_domain()

void bro_conf_set_domain ( const char *  domain)

bro_conf_set_domain - Sets the current domain to use in a config file.

Parameters
domainname of the domain, or NULL.

Broccoli's config files are divided into sections. At the beginning of each config file you can have an unnamed section that will be used by default. Case is irrelevant. By passing NULL for domain, you select the default domain, otherwise the one that matches domain. domain is copied internally.

◆ bro_conn_adopt_events()

void bro_conn_adopt_events ( BroConn src,
BroConn dst 
)

bro_conn_adopt_events - Makes one connection send out the same events as another.

Parameters
srcBro connection handle for connection whose event list to adopt.
dstBro connection handle for connection whose event list to change.

The function makes the connection identified by dst use the same event mask as the one identified by src.

◆ bro_conn_alive()

int bro_conn_alive ( const BroConn bc)

bro_conn_alive - Reports whether a connection is currently alive or has died.

Parameters
bcBro connection handle.

This predicate reports whether the connection handle is currently usable for sending/receiving data or not, e.g. because the peer died. The function does not actively check and update the connection's state, it only reports the value of flags indicating its status. In particular, this means that when calling bro_conn_alive() directly after a select() on the connection's descriptor, bro_conn_alive() may return an incorrent value. It will however return the correct value after a subsequent call to bro_conn_process_input(). Also note that the connection is also dead after the connection handle is obtained and before bro_conn_connect() is called.

Returns
TRUE if the connection is alive, FALSE otherwise.

◆ bro_conn_connect()

int bro_conn_connect ( BroConn bc)

bro_conn_connect - Establish connection to peer.

Parameters
bcconnection handle.

The function attempts to set up and configure a connection to the peer configured when the connection handle was obtained.

Returns
TRUE on success, FALSE on failure.

◆ bro_conn_data_del()

void* bro_conn_data_del ( BroConn bc,
const char *  key 
)

bro_conn_data_del - Removes a data item.

Parameters
bcBro connection handle.
keyname of the data item.

The function tries to remove the data item with name key.

Returns
the removed data item if it exists, NULL otherwise.

◆ bro_conn_data_get()

void* bro_conn_data_get ( BroConn bc,
const char *  key 
)

bro_conn_data_get - Looks up a data item.

Parameters
bcBro connection handle.
keyname of the data item.

The function tries to look up the data item with name key and if found, returns it.

Returns
data item if lookup was successful, NULL otherwise.

◆ bro_conn_data_set()

void bro_conn_data_set ( BroConn bc,
const char *  key,
void *  val 
)

bro_conn_data_set - Puts a data item into the registry.

Parameters
bcBro connection handle.
keyname of the data item.
valdata item.

The function stores val under name key in the connection handle bc. key is copied internally so you do not need to duplicate it before passing.

◆ bro_conn_delete()

int bro_conn_delete ( BroConn bc)

bro_conn_delete - terminates and releases connection.

Parameters
bcBro connection handle.

This function will terminate the given connection if necessary and release all resources associated with the connection handle.

Returns
FALSE on error, TRUE otherwise.

◆ bro_conn_get_connstats()

void bro_conn_get_connstats ( const BroConn bc,
BroConnStats cs 
)

bro_conn_get_connstats - Reports connection properties.

Parameters
bcconnection handle.
csBroConnStats handle.

The function fills the BroConnStats structure provided via cs with information about the given connection.

◆ bro_conn_get_fd()

int bro_conn_get_fd ( BroConn bc)

bro_conn_get_fd - Returns file descriptor of a Bro connection.

Parameters
bcBro connection handle.

If you need to know the file descriptor of the connection (such as when select()ing it, etc.), use this accessor function.

Returns
file descriptor for connection bc, or negative value on error.

◆ bro_conn_get_packet_ctxt()

void bro_conn_get_packet_ctxt ( BroConn bc,
int *  link_type 
)

bro_conn_get_packet_ctxt - Gets current packet context for connection.

Parameters
bcconnection handle.
link_typeresult pointer for libpcap DLT linklayer type.

The function returns bc's current packet context through link_type.

◆ bro_conn_get_peer_class()

const char* bro_conn_get_peer_class ( const BroConn bc)

bro_conn_get_peer_class - Reports connection class indicated by peer.

Parameters
bcconnection handle.
Returns
a string containing the connection class indicated by the peer, if any, otherwise NULL.

◆ bro_conn_new()

BroConn* bro_conn_new ( struct in_addr *  ip_addr,
uint16  port,
int  flags 
)

bro_conn_new - Creates and returns a handle for a connection to a remote Bro.

Parameters
ip_addr4-byte IP address of Bro to contact, in network byte order.
portport of machine at ip_addr to contact, in network byte order.
flagsan or-combination of the BRO_CONN_xxx flags.

The function creates a new Bro connection handle for communication with Bro through a network. Depending on the flags passed in, the connection and its setup process can be adjusted. If you don't want to pass any flags, use BRO_CFLAG_NONE.

Returns
pointer to a newly allocated and initialized Bro connection structure. You need this structure for all other calls in order to identify the connection to Bro.

◆ bro_conn_new6()

BroConn* bro_conn_new6 ( struct in6_addr *  ip_addr,
uint16  port,
int  flags 
)

bro_conn_new6 - Creates and returns a handle for a connection to a remote Bro.

Parameters
ip_addr16-byte IPv6 address of Bro to contact, in network byte order.
portport of machine at ip_addr to contact, in network byte order.
flagsan or-combination of the BRO_CONN_xxx flags.

The function creates a new Bro connection handle for communication with Bro through a network. Depending on the flags passed in, the connection and its setup process can be adjusted. If you don't want to pass any flags, use BRO_CFLAG_NONE.

Returns
pointer to a newly allocated and initialized Bro connection structure. You need this structure for all other calls in order to identify the connection to Bro.

◆ bro_conn_new_socket()

BroConn* bro_conn_new_socket ( int  socket,
int  flags 
)

bro_conn_new_socket - Same as bro_conn_new(), but uses existing socket.

Parameters
socketopen socket.
flagsan or-combination of the BRO_CONN_xxx flags.

The function is identical to bro_conn_new(), but allows you to pass in an open socket to use for the communication. flags can be used to adjust the connection features and the setup process. If you don't want to pass any flags, use BRO_CFLAG_NONE.

Returns
pointer to a newly allocated and initialized Bro connection structure. You need this structure for all other calls in order to identify the connection to Bro.

◆ bro_conn_new_str()

BroConn* bro_conn_new_str ( const char *  hostname,
int  flags 
)

bro_conn_new_str - Same as bro_conn_new(), but accepts strings for hostname and port.

Parameters
hostnamestring describing the host and port to connect to.
flagsan or-combination of the BRO_CONN_xxx flags.

The function is identical to bro_conn_new(), but allows you to specify the host and port to connect to in a string as "<hostname>:<port>". flags can be used to adjust the connection features and the setup process. If you don't want to pass any flags, use BRO_CFLAG_NONE.

Returns
pointer to a newly allocated and initialized Bro connection structure. You need this structure for all other calls in order to identify the connection to Bro.

◆ bro_conn_process_input()

int bro_conn_process_input ( BroConn bc)

bro_conn_process_input - Processes input sent to the sensor by Bro.

Parameters
bcBro connection handle.

The function reads all input sent to the local sensor by the Bro peering at the connection identified by bc. It is up to you to find a spot in the application you're instrumenting to make sure this is called. This function cannot block. bro_conn_alive() will report the actual state of the connection after a call to bro_conn_process_input().

Returns
TRUE if any input was processed, FALSE otherwise.

◆ bro_conn_reconnect()

int bro_conn_reconnect ( BroConn bc)

bro_conn_reconnect - Drop the current connection and reconnect, reusing all settings.

Parameters
bcBro connection handle.

The functions drops the current connection identified by bc and attempts to establish a new one with all the settings associated with bc, including full handshake completion.

Returns
TRUE if successful, FALSE otherwise. No matter what the outcome, you can continue to use bc as normal (e.g. you have to release it using bro_conn_delete()).

◆ bro_conn_set_class()

void bro_conn_set_class ( BroConn bc,
const char *  classname 
)

bro_conn_set_class - Sets a connection's class identifier.

Parameters
bcconnection handle.
classnameclass identifier.

Broccoli connections can indicate that they belong to a certain class of connections, which is needed primarily if multiple Bro/Broccoli instances are running on the same node and connect to a single remote peer. You can set this class with this function, and you have to do so before calling bro_connect() since the connection class is determined upon connection establishment. You remain responsible for the memory pointed to by classname.

◆ bro_conn_set_packet_ctxt()

void bro_conn_set_packet_ctxt ( BroConn bc,
int  link_type 
)

bro_conn_set_packet_ctxt - Sets current packet context for connection.

Parameters
bcconnection handle.
link_typelibpcap DLT linklayer type.

The function sets the packet context for bc for future BroPackets handled by this connection.

◆ bro_ctx_init()

void bro_ctx_init ( BroCtx ctx)

bro_ctx_init - Initializes initialization context to default values.

Parameters
ctxpointer to a BroCtx structure.

◆ bro_event_add_val()

int bro_event_add_val ( BroEvent be,
int  type,
const char *  type_name,
const void *  val 
)

bro_event_add_val - Adds a parameter to an event.

Parameters
beevent to add to.
typenumerical type identifier (a BRO_TYPE_xxx constant).
type_nameoptional name of specialized type.
valvalue to add to event.

The function adds the given val to the argument list of event be. The type of val is derived from type, and may be specialized to the type named type_name. If type_name is not desired, use NULL.

val remains the caller's responsibility and is copied internally.

Returns
TRUE if the operation was successful, FALSE otherwise.

◆ bro_event_free()

void bro_event_free ( BroEvent be)

bro_event_free - Releases all memory associated with an event.

Parameters
beevent to release.

The function releases all memory associated with be. Note that you do NOT have to call this after sending an event.

◆ bro_event_new()

BroEvent* bro_event_new ( const char *  event_name)

bro_event_new - Creates a new empty event with a given name.

Parameters
event_namename of the Bro event.

The function creates a new empty event with the given name and returns it.

Returns
new event, or NULL if allocation failed.

◆ bro_event_queue_flush()

int bro_event_queue_flush ( BroConn bc)

bro_event_queue_flush - Tries to flush the send queue of a connection.

Parameters
bcBro connection handle.

The function tries to send as many queued events to the Bro agent as possible.

Returns
remaining queue length after flush.

◆ bro_event_queue_length()

int bro_event_queue_length ( BroConn bc)

bro_event_queue_length - Returns current queue length.

Parameters
bcBro connection handle.

Use this function to find out how many events are currently queued on the client side.

Returns
number of items currently queued.

◆ bro_event_queue_length_max()

int bro_event_queue_length_max ( BroConn bc)

bro_event_queue_length_max - Returns maximum queue length.

Parameters
bcBro connection handle.

Use this function to find out how many events can be queued before events start to get dropped.

Returns
maximum possible queue size.

◆ bro_event_registry_add()

void bro_event_registry_add ( BroConn bc,
const char *  event_name,
BroEventFunc  func,
void *  user_data 
)

bro_event_registry_add - Adds an expanded-argument event callback to the event registry.

Parameters
bcBro connection handle.
event_nameName of events that trigger callback.
funccallback to invoke.
user_datauser data passed through to the callback.

This function registers the callback func to be invoked when events of name event_name arrive on connection bc. user_data is passed along to the callback, which will receive it as the second parameter. You need to ensure that the memory user_data points to is valid during the time the callback might be invoked.

Note that this function only registers the callback in the state associated with bc. If you use bro_event_registry_add() and bc has not yet been connected via bro_conn_connect(), then no further action is required. bro_conn_connect() requests any registered event types. If however you are requesting additional event types after the connection has been established, then you also need to call bro_event_registry_request() in order to signal to the peering Bro that you want to receive those events.

◆ bro_event_registry_add_compact()

void bro_event_registry_add_compact ( BroConn bc,
const char *  event_name,
BroCompactEventFunc  func,
void *  user_data 
)

bro_event_registry_add_compact - Adds a compact-argument event callback to the event registry.

Parameters
bcBro connection handle.
event_nameName of events that trigger callback.
funccallback to invoke.
user_datauser data passed through to the callback.

This function registers the callback func to be invoked when events of name event_name arrive on connection bc. user_data is passed along to the callback, which will receive it as the second parameter. You need to ensure that the memory user_data points to is valid during the time the callback might be invoked. See bro_event_registry_add() for details.

◆ bro_event_registry_remove()

void bro_event_registry_remove ( BroConn bc,
const char *  event_name 
)

bro_event_registry_remove - Removes an event handler.

Parameters
bcBro connection handle.
event_nameevent to ignore from now on.

The function removes all callbacks for event event_name from the event registry for connection bc.

◆ bro_event_registry_request()

void bro_event_registry_request ( BroConn bc)

bro_event_registry_request - Notifies peering Bro to send events.

Parameters
bcBro connection handle.

The function requests the events you have previously requested using bro_event_registry_add() from the Bro listening on bc.

◆ bro_event_send()

int bro_event_send ( BroConn bc,
BroEvent be 
)

bro_event_send - Tries to send an event to a Bro agent.

Parameters
bcBro connection handle.
beevent to send.

The function tries to send be to the Bro agent connected through bc. Regardless of the outcome, you do NOT have to release the event afterwards using bro_event_free().

Returns
TRUE if the event got sent or queued for later transmission, FALSE on error. There are no automatic repeated send attempts (to minimize the effect on the code that Broccoli is linked to). If you have to make sure that everything got sent, you have to try to empty the queue using bro_event_queue_flush(), and also look at bro_event_queue_empty().

◆ bro_event_send_raw()

int bro_event_send_raw ( BroConn bc,
const uchar data,
int  data_len 
)

bro_event_send_raw - Enqueues a serialized event directly into a connection's send buffer.

Parameters
bcBro connection handle.
datapointer to serialized event data.
data_lenlength of buffer pointed to by data.

The function enqueues the given event data into bc's transmit buffer. data_len bytes at data must correspond to a single event.

Returns
TRUE if successful, FALSE on error.

◆ bro_event_set_val()

int bro_event_set_val ( BroEvent be,
int  val_num,
int  type,
const char *  type_name,
const void *  val 
)

bro_event_set_val - Replace a value in an event.

Parameters
beevent handle.
val_numnumber of the value to replace, starting at 0.
typenumerical type identifier (a BRO_TYPE_xxx constant).
type_nameoptional name of specialized type.
valvalue to put in.

The function replaces whatever value is currently stored in the event pointed to by be with the value specified through the type and val arguments. If the event does not currently hold enough values to replace one in position val_num, the function does nothing. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.

Returns
TRUE if successful, FALSE on error.

◆ bro_init()

int bro_init ( const BroCtx ctx)

bro_init - Initializes the library.

Parameters
ctxpointer to a BroCtx structure.

The function initializes the library. It MUST be called before anything else in Broccoli. Specific initialization context may be provided using a BroCtx structure pointed to by ctx. It may be omitted by passing NULL, for default values. See bro_init_ctx() for initialization of the context structure to default values.

Returns
TRUE if initialization succeeded, FALSE otherwise.

◆ bro_packet_clone()

BroPacket* bro_packet_clone ( const BroPacket packet)

bro_packet_clone - Clones a packet.

Parameters
packetpacket to clone.
Returns
a copy of packet, or NULL on error.

◆ bro_packet_free()

void bro_packet_free ( BroPacket packet)

bro_packet_free - Releases a packet.

Parameters
packetpacket to release.

The function releases all memory occupied by a packet previously allocated using bro_packet_new().

◆ bro_packet_new()

BroPacket* bro_packet_new ( const struct pcap_pkthdr *  hdr,
const u_char *  data,
const char *  tag 
)

bro_packet_new - Creates a new packet.

Parameters
hdrpointer to libpcap packet header.
datapointer to libpcap packet data.
tagpointer to ASCII tag (0 for no tag).
Returns
a new BroPacket by copying hdr and data internally. Release the resulting packet using bro_packet_free().

◆ bro_packet_send()

int bro_packet_send ( BroConn bc,
BroPacket packet 
)

bro_packet_send - Sends a packet over a given connection.

Parameters
bcconnection on which to send packet.
packetpacket to send.

The function sends packet to the Bro peer connected via bc.

Returns
TRUE if successful, FALSE otherwise.

◆ bro_record_add_val()

int bro_record_add_val ( BroRecord rec,
const char *  name,
int  type,
const char *  type_name,
const void *  val 
)

bro_record_add_val - Adds a value to a record.

Parameters
recrecord handle.
namefield name of the added val.
typenumerical type tag of the new val.
type_nameoptional name of specialized type.
valpointer to the new val.

The function adds a new field to the record pointed to by rec and assigns the value passed in to that field. The field name is given in name, the type of the value is given in type and must be one of the BRO_TYPE_xxx constants defined in broccoli.h. The type you give implies what data type val must be pointing to; see the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name. It is possible to leave fields unassigned, in that case, pass in NULL for val.

val remains the caller's responsibility and is copied internally.

Returns
TRUE on success, FALSE on error.

◆ bro_record_free()

void bro_record_free ( BroRecord rec)

bro_record_free - Releases a record.

Parameters
recrecord handle.

The function releases all memory consumed by the record pointed to by rec.

◆ bro_record_get_length()

int bro_record_get_length ( BroRecord rec)

bro_record_get_length - Returns number of fields in record.

Parameters
recrecord handle.
Returns
the number of fields in the record.

◆ bro_record_get_named_val()

void* bro_record_get_named_val ( BroRecord rec,
const char *  name,
int *  type 
)

bro_record_get_named_val - Retrieves a value from a record by field name.

Parameters
recrecord handle.
namefield name.
typevalue-result argument for the expected/actual type of the value.

The function returns the value of the field named name in the record pointed to by rec. The returned value is internal and needs to be duplicated if you want to keep it around. type works as with bro_record_get_nth_val(), see there for more details.

Returns
pointer to queried value on success, NULL on error.

◆ bro_record_get_nth_name()

const char* bro_record_get_nth_name ( BroRecord rec,
int  num 
)

bro_record_get_nth_name - Retrieves a name from a record by field index.

Parameters
recrecord handle.
numfield index, starting from 0.

The function returns the num'th name of the record pointed to by rec.

Returns
field name on success, NULL on error.

◆ bro_record_get_nth_val()

void* bro_record_get_nth_val ( BroRecord rec,
int  num,
int *  type 
)

bro_record_get_nth_val - Retrieves a value from a record by field index.

Parameters
recrecord handle.
numfield index, starting from 0.
typevalue-result argument for the expected/actual type of the value.

The function returns the num'th value of the record pointed to by rec, expected to be of type. The returned value is internal and needs to be duplicated if you want to keep it around. Upon return, the int pointed to by type tells you the type of the returned value, as a BRO_TYPE_xxx type tag. If the int pointed to upon calling the function has the value BRO_TYPE_UNKNOWN, no type checking is performed and the value is returned. If it is any other type tag, its value is compared to that of the value, and if they match, the value is returned. Otherwise, the return value is NULL. If you don't care about type enforcement and don't want to know the value's type, you may pass NULL for type.

Returns
pointer to queried value on success, NULL on error.

◆ bro_record_new()

BroRecord* bro_record_new ( void  )

bro_record_new - Creates a new record.

The function allocates and initializes a new empty record. BroRecords are used for adding and retrieving record values to/from events. You do not have to specify a record type separately when you create a record. The type is defined implicitly by the sequence of types formed by the sequence of values added to the record, along with the names for each value. See the manual for details.

Returns
a new record, or NULL on error.

◆ bro_record_set_named_val()

int bro_record_set_named_val ( BroRecord rec,
const char *  name,
int  type,
const char *  type_name,
const void *  val 
)

bro_record_set_named_val - Replaces a value in a record, identified by name.

Parameters
recrecord handle.
namefield name.
typeexpected type of the value.
type_nameoptional name of specialized type.
valpointer to new val.

The function replaces the value named name in the record pointed to by rec, expected to be of type. All values are copied internally so what val points to stays unmodified. The value of type implies what result must be pointing to. See the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.

Returns
TRUE on success, FALSE on error.

◆ bro_record_set_nth_val()

int bro_record_set_nth_val ( BroRecord rec,
int  num,
int  type,
const char *  type_name,
const void *  val 
)

bro_record_set_nth_val - Replaces a value in a record, identified by field index.

Parameters
recrecord handle.
numfield index, starting from 0.
typeexpected type of the value.
type_nameoptional name of specialized type.
valpointer to new val.

The function replaces the num'th value of the record pointed to by rec, expected to be of type. All values are copied internally so what val points to stays unmodified. The value of type implies what result must be pointing to. See the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.

Returns
TRUE on success, FALSE on error.

◆ bro_set_find()

int bro_set_find ( BroSet set,
const void *  key 
)

◆ bro_set_foreach()

void bro_set_foreach ( BroSet set,
BroSetCallback  cb,
void *  user_data 
)

◆ bro_set_free()

void bro_set_free ( BroSet set)

◆ bro_set_get_size()

int bro_set_get_size ( BroSet set)

◆ bro_set_get_type()

void bro_set_get_type ( BroSet set,
int *  type 
)

◆ bro_set_insert()

int bro_set_insert ( BroSet set,
int  type,
const void *  val 
)

◆ bro_set_new()

BroSet* bro_set_new ( void  )

◆ bro_string_assign()

void bro_string_assign ( BroString src,
BroString dst 
)

bro_string_assign - Duplicates a BroString's content, assigning it to an existing one.

Parameters
srcsource string.
dsttarget string.

Copies the string content pointed to by src into the existing BroString pointed to by dst. bro_string_cleanup() is called on dst before the assignment.

◆ bro_string_cleanup()

void bro_string_cleanup ( BroString bs)

bro_string_cleanup - Cleans up existing BroString.

Parameters
bsstring pointer.

This function releases all contents claimed by the BroString pointed to by bs, without releasing that BroString structure itself. Use this when manipulating a BroString on the stack, paired with bro_string_init().

◆ bro_string_copy()

BroString* bro_string_copy ( BroString bs)

bro_string_copy - Duplicates a BroString.

Parameters
bsstring pointer.
Returns
a deep copy of the BroString pointed to by bs, or NULL on error.

◆ bro_string_free()

void bro_string_free ( BroString bs)

bro_string_free - Cleans up dynamically allocated BroString.

Parameters
bsstring pointer.

This function releases the entire BroString pointed to by bs, including the BroString structure itself.

◆ bro_string_get_data()

const uchar* bro_string_get_data ( const BroString bs)

bro_string_get_data - Returns pointer to the string data.

Parameters
bsstring pointer.

The function returns a pointer to the string's internal data. You can copy out the string using this function in combination with bro_string_get_length(), for obtaining the string's length.

Returns
pointer to string, or NULL on error.

◆ bro_string_get_length()

uint32 bro_string_get_length ( const BroString bs)

bro_string_get_length - Returns string's length.

Parameters
bsstring pointer.
Returns
the string's length.

◆ bro_string_init()

void bro_string_init ( BroString bs)

bro_string_init - Initializes an existing string structure.

Parameters
bsstring pointer.

The function initializes the BroString pointed to by bs. Use this function before using the members of a BroString you're using on the stack.

◆ bro_string_set()

int bro_string_set ( BroString bs,
const char *  s 
)

bro_string_set - Sets a BroString's contents.

Parameters
bsstring pointer.
sC ASCII string.

The function initializes the BroString pointed to by bs to the string given in s. s's content is copied, so you can modify or free s after calling this, and you need to call bro_string_cleanup() on the BroString pointed to by bs.

Returns
TRUE if successful, FALSE otherwise.

◆ bro_string_set_data()

int bro_string_set_data ( BroString bs,
const uchar data,
int  data_len 
)

bro_string_set_data - Sets a BroString's contents.

Parameters
bsstring pointer.
dataarbitrary data.
data_lenlength of data.

The function initializes the BroString pointed to by bs to data_len bytes starting at data. data's content is copied, so you can modify or free data after calling this.

Returns
TRUE if successful, FALSE otherwise.

◆ bro_table_find()

void* bro_table_find ( BroTable tbl,
const void *  key 
)

◆ bro_table_foreach()

void bro_table_foreach ( BroTable tbl,
BroTableCallback  cb,
void *  user_data 
)

◆ bro_table_free()

void bro_table_free ( BroTable tbl)

◆ bro_table_get_size()

int bro_table_get_size ( BroTable tbl)

◆ bro_table_get_types()

void bro_table_get_types ( BroTable tbl,
int *  key_type,
int *  val_type 
)

◆ bro_table_insert()

int bro_table_insert ( BroTable tbl,
int  key_type,
const void *  key,
int  val_type,
const void *  val 
)

◆ bro_table_new()

BroTable* bro_table_new ( void  )

◆ bro_util_current_time()

double bro_util_current_time ( void  )

bro_util_current_time - Gets current time.

Returns
the current system time as a double, in seconds, suitable for passing to bro_event_add_time().

◆ bro_util_is_v4_addr()

int bro_util_is_v4_addr ( const BroAddr a)

bro_util_is_v4_addr - Checks if an address is IPv4.

Parameters
apointer to address structure.
Returns
TRUE if the address is IPv4, else FALSE.

◆ bro_util_timeval_to_double()

double bro_util_timeval_to_double ( const struct timeval *  tv)

bro_util_timeval_to_double - Converts timeval struct to double.

Parameters
tvpointer to timeval structure.
Returns
a double encoding the timestamp given in tv in a floating point double, with the fraction of a second between 0.0 and 1.0.

◆ bro_vector_add_val()

int bro_vector_add_val ( BroVector vec,
int  type,
const char *  type_name,
const void *  val 
)

bro_vector_add_val - Adds a value to a vector.

Parameters
vecvector handle.
typenumerical type tag of the new val.
type_nameoptional name of specialized type.
valpointer to the new val.

The function adds a new element to the vector pointed to by vec and assigns the value passed in to that field. The type of the value is given in type and must be one of the BRO_TYPE_xxx constants defined in broccoli.h. The type you give implies what data type val must be pointing to; see the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name. It is possible to leave fields unassigned, in that case, pass in NULL for val.

val remains the caller's responsibility and is copied internally.

Returns
TRUE on success, FALSE on error.

◆ bro_vector_free()

void bro_vector_free ( BroVector vec)

bro_vector_free - Releases a vector.

Parameters
vecvector handle.

The function releases all memory consumed by the vector pointed to by vec.

◆ bro_vector_get_length()

int bro_vector_get_length ( BroVector vec)

bro_vector_get_length - Returns number of elements in vector.

Parameters
vecvector handle.
Returns
the number of elements in the vector.

◆ bro_vector_get_nth_val()

void* bro_vector_get_nth_val ( BroVector vec,
int  num,
int *  type 
)

bro_vector_get_nth_val - Retrieves a value from a vector by index.

Parameters
vecvector handle.
numindex, starting from 0.
typevalue-result argument for the expected/actual type of the value.

The function returns the num'th value of the vector pointed to by vec, expected to be of type. The returned value is internal and needs to be duplicated if you want to keep it around. Upon return, the int pointed to by type tells you the type of the returned value, as a BRO_TYPE_xxx type tag. If the int pointed to upon calling the function has the value BRO_TYPE_UNKNOWN, no type checking is performed and the value is returned. If it is any other type tag, its value is compared to that of the value, and if they match, the value is returned. Otherwise, the return value is NULL. If you don't care about type enforcement and don't want to know the value's type, you may pass NULL for type.

Returns
pointer to queried value on success, NULL on error.

◆ bro_vector_new()

BroVector* bro_vector_new ( void  )

bro_vector_new - Creates a new vector.

The function allocates and initializes a new empty vector.

Returns
a new vector, or NULL on error.

◆ bro_vector_set_nth_val()

int bro_vector_set_nth_val ( BroVector vec,
int  num,
int  type,
const char *  type_name,
const void *  val 
)

bro_vector_set_nth_val - Replaces a value in a vector, identified by index.

Parameters
vecvector handle.
numindex, starting from 0.
typeexpected type of the value.
type_nameoptional name of specialized type.
valpointer to new val.

The function replaces the num'th value of the vector pointed to by vec, expected to be of type. All values are copied internally so what val points to stays unmodified. The value of type implies what result must be pointing to. See the manual for details. If you want to indicate a type specialized from type, use type_name to give its name, otherwise pass NULL for type_name.

Returns
TRUE on success, FALSE on error.

Variable Documentation

◆ bro_debug_calltrace

int bro_debug_calltrace

bro_debug_calltrace - Debugging output switch for call tracing.

If you have debugging support built in (i.e., your package was configured with –enable-debug), you can enable/disable debugging output for call tracing by setting this to 0 (off) or 1 (on). Default is off.

◆ bro_debug_messages

int bro_debug_messages

bro_debug_messages - Output switch for debugging messages.

If you have debugging support built in (i.e., your package was configured with –enable-debug), you can enable/disable debugging messages by setting this to 0 (off) or 1 (on). Default is off.

◆ BRO_IPV4_MAPPED_PREFIX

const uint8 BRO_IPV4_MAPPED_PREFIX[12]

The standard 12-byte prefix of a 16-byte IPv6 address that indicates it's a mapped IPv4 address.