[Bro] howto: getting the port number only

Jake Mailinglists jbabbinlists at gmail.com
Tue Sep 18 10:49:21 PDT 2007


Mel,
you should be able to split the string into an array and use the part you
want only.

Ex.
local dst_port_proto = c$id$resp_p;
local port_pair = split(dst_port_proto, /\//);
# taking the connection destination port/proto pairing and spliting it into
an array with the split occuring on the "/"
local port_num = port_pair[1];
local port_proto = port_pair[2];

Jake



On 9/18/07, mel at hackinthebox.org <mel at hackinthebox.org> wrote:
>
> Hi all,
>
>
> I have: global destinations: set[addr,port];
>
> The port data type will store port information in the following format:
>
> 443/tcp, 22/tcp, 53/udp, etc.
>
> However, I'm only interested in the port number, not the protocol. How do
> I get the port number only?
>
> --mel
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070918/f4100327/attachment.html 


More information about the Bro mailing list