A definition of a record type has the following syntax:
record { field^+ }
(that is, the keyword record followed by one-or-more field's
enclosed in braces), where a field has the syntax:
identifier : type field-attributes^* ; identifier : type field-attributes^* ,
Each field has a name given by the identifier (which can be the same
as the identifier of an existing variable or a field in another record).
Field names must follow the same syntax as that for Bro variable names (see Variables),
namely they must begin with a letter or
an underscore (“_”) followed by zero or more letters, underscores,
or digits. Bro reserved words such as if or event cannot
be used for field names. Field names are
case-sensitive.
Each field holds a value of the given type. We discuss the optional Finally, you can use either a semicolon or a comma to terminate the definition of a record field.
For example, the following record type:
type conn_id: record {
orig_h: addr; # Address of originating host.
orig_p: port; # Port used by originator.
resp_h: addr; # Address of responding host.
resp_p: port; # Port used by responder.
};
is used throughout Bro scripts to denote a connection identifier
by specifying the connections originating and responding addresses
and ports. It has four fields: orig_h and resp_h of type
addr, and orig_p of resp_p of type port.