New script misc/dump-events.bro, along with core support, that dumps events Bro is raising

in an easily readable form. This is for debugging purposes, obviously. Example, including only SMTP events: > bro -r smtp.trace misc/dump-events.bro DumpEvents::include=/smtp/ [...] 1254722768.219663 smtp_reply [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, [...] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > [4] msg: string = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 [5] cont_resp: bool = T 1254722768.219663 smtp_reply [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, [...] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > [4] msg: string = We do not authorize the use of this system to transport unsolicited, [5] cont_resp: bool = T [...]
2025-10-15 13:08:20 +00:00 · 2013-11-22 14:17:15 -08:00 · 2013-11-22 14:17:15 -08:00 · de9f03b0bf
commit de9f03b0bf
parent 08c7dd3d71
7 changed files with 126 additions and 0 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -529,6 +529,24 @@ type record_field: record {
 ##    directly and then remove this alias.
 type record_field_table: table[string] of record_field;

+## Meta-information about a parameter to a function/event.
+##
+## .. bro:see:: call_argument_event new_event
+type call_argument: record {
+	name: string;	##< The name of the parameter.
+	type_name: string;	##< The name of the parameters's type.
+	default_val: any &optional;	##< The value of the :bro:attr:`&default` attribute if defined.
+
+	## The value of the parameter as passed into a given call instance. Might be unset
+	## in the case a :bro:attr:`&default` attribute is defined. 
+	value: any &optional;
+};
+
+## Vector type used to capture parameters of a function/event call.
+## 
+## .. bro:see:: call_argument new_event
+type call_argument_vector: vector of call_argument;
+
 # todo:: Do we still need these here? Can they move into the packet filter
 # framework?
 #
--- a/scripts/policy/misc/dump-events.bro
+++ b/scripts/policy/misc/dump-events.bro
@ -0,0 +1,35 @@
+
+module DumpEvents;
+
+export {
+	# If true, include event argument in output.
+	const include_args = T &redef;
+
+	# Only include events matching the given pattern into output.
+	const include = /.*/ &redef;
+}
+
+event new_event(name: string, args: call_argument_vector)
+	{
+	if ( include !in name )
+		return;
+
+	if ( ! include_args || |args| == 0 )
+		return;
+
+	print fmt("%.6f %s", network_time(), name);
+
+	for ( i in args )
+		{
+		local a = args[i];
+		
+		local proto = fmt("%s: %s", a$name, a$type_name);
+		
+		if ( a?$value )
+			print fmt("                  [%d] %-15s = %s", i, proto, a$value);
+		else
+			print fmt("                  | %-15s = %s [default]", proto, a$value);
+		}
+
+	print "";
+	}