1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # declaring global variables # no need to put quotes around addr or subnet variable definitions global ipv4_host:addr = 1.1.1.1; global ipv4_net:subnet = 1.1.0.0/16; event bro_init() { if (ipv4_host in ipv4_net) { # addr and subnet types are autoconverted to strings with fmt print fmt("%s is in network %s",ipv4_host,ipv4_net); } else { print fmt("host %s is not in network %s",ipv4_host,ipv4_net); } } |
Running this from the CLI, we get the expected output:
jswan@so12a:~/bro$ bro addr_net_types.bro
1.1.1.1 is in network 1.1.0.0/16
Bro also has several interesting built-in functions for working with network data that we'll explore in upcoming posts. For now, we'll take a look at the mask_addr function, which allows you to use Bro as an improvised subnet calculator. You can run a Bro micro-script from the CLI with with the -e option, just like the -e flag in Perl or the -c flag in Python:
jswan@so12a:~/bro$ bro -e "print mask_addr(10.18.32.199,14);"
10.16.0.0/14
jswan@so12a:~/bro$ bro -e "print mask_addr(10.18.32.199,31);"
10.18.32.198/31
Great for those late-night subnetting sessions after too many microbrews!
Just in case you were wondering: all of this works natively for IPv6, with some changes to the syntax:
jswan@so12a:~/bro$ bro -e "print [fe80::1db9] in [fe80::]/64;"
T # T is the way Bro outputs "True" in a Boolean test
We'll look at some more IPv6 stuff in an upcoming post.
No comments:
Post a Comment