Once you've built Bro, you can run it interactively to try out simple facets of the policy language. Note that in this mode, Bro is not reading network traffic, so you cannot do any traffic analysis; this mode is simply to try out Bro language features.
You run Bro interactively by simply executing “bro” without any arguments. It then reads from stdin and writes to stdout.
Try typing the following to it:
(The end-of-file is critical to remember. It's also a bit annoying for interactive evaluation, but reflects the fact that Bro is not actually meant for interactive use, it simply works as a side-effect of Bro's structure.)print "hello, world";
^D
(i.e., end of file)
Bro will respond by printing:
hello, worldto stdout and exiting.
You can further declare variables and print expressions, for example:
global a = telnet; print a, a > ftp; print www.microsoft.com;
will print
23/tcp, T 207.46.230.229, 207.46.230.219, 207.46.230.218
(FIXME: this example needs to be updated. Format has changed.)
where 23/tcp reflects the fact that telnet is a predefined variable whose value is TCP port 23, which is larger than TCP port 21 (i.e., ftp); and the DNS name www.microsoft.com currently returns the above three addresses.
You can also define functions:
function top18bits(a: addr): addr { return mask_addr(a, 18); } print top18bits(128.3.211.7);
prints
128.3.192.0
and even event handlers:
event bro_done() { print "all done!"; }
which prints “all done!” when Bro exits.