Bro provides a number of C-like operators (+, -, *, /, %, !, &&, ||, ?:, relationals like <=) with which we assume the reader is familiar, and will not detail here. Assignment is done using =, table and set indexing with , and function invocation and event generation with (). Numeric variables can be incremented and decremented using ++ and -. Record fields are accessed using $, to avoid ambiguity with hostname constants. Assignment of aggregate values is shallow--the newly-assigned variable refers to the same aggregate value as the right-hand side of the assignment expression. This choice was made to facilitate performance; we have not yet been bitten by the semantics (which differ from C). We may in the future add a copy operator to construct ``deep'' copies.
From the perspective of C, the only novel operators are in and !in. These infix operators yield bool values depending on whether or not a given index is in a given table or set. For example, if sensitive_services is a set indexed by a single port, then
23/tcp in sensitive_servicesreturns true if the set has an element corresponding to an index of TCP port 23, false if it does not have such an element. Similarly, if RPC_okay is a set (or table) indexed by a source address, a destination address, and an RPC service number (a count), then
[src_addr, dst_addr, serv] in RPC_okayyields true if the given ordered triple is present as an index into RPC_okay. The !in operator simply returns the boolean negation of the in operator.
Presently, indexing a table or set with a value that does not correspond to one of its elements leads to a run-time error, so such operations need to be preceded by in tests. We find this not entirely satisfying, and plan to add a mechanism for optionally specifying the action to take in such cases on a per-table basis.
Finally, Bro includes a number of predefined functions to perform operations not directly available in the language. Some of the more interesting: fmt provides sprintf-style formatting for use in printing or manipulating strings; edit returns a copy of a string that has been edited using the given editing characters (currently it only knows about single-character deletions); mask_addr takes an addr and returns another addr corresponding to its top n bits; open and close manipulate files; network_time returns the timestamp of the most recently received packet; getenv provides access to environment variables; skip_further_processing marks a connection as not requiring any further analysis; set_record_packets instructs the event engine whether or not to record any of a connection's future packets (though SYN/FIN/RST are always recorded); and parse_ftp_port takes an FTP ``PORT'' command and returns a record with the corresponding addr and port.