Deficiency: Bro currently supports only a very simple notion of files. You can only write to files, you can't read from them: and files are essentially untyped—the only values you can write to them are string's or values that can be converted to string.
You declare file variables simply as type file:
global f: file;
You can create values of type file by using the
function:
f = open("suspicious_info.log");
will create (or recreate, if it already exists) the file suspicious_info.log and open it for writing. You can also use to append to an existing file (or create a new one, if it doesn't exist).
You write to files using the print statement:
print f, 5 * 6;
will print the text 30 to the file corresponding to the value of f.
There is no restriction regarding how many files you can have open at a
given time. In particular, even if your system has a limit imposed by
RLIMIT_NOFILE as set by the system call setrlimit.
If, however, you want to to close a file, you can do so using close,
and you can test whether a file is open using active-file.
Finally, you can control whether a file is buffered using set-buf,
and can flush the buffers of all open files using flush-all.