[Bro] Converting a Bro Script to A New Stream

Mike Sconzo sconzo at visiblerisk.com
Mon Aug 27 21:14:24 PDT 2012


I've got a general question around this idea. When is it best to
create a log filter vs. creating a log file with just the information
you want in it vs. adding an additional field to a existing log?

I'm curious becase I would have approached this the same way (an
output log for the data I was interested in), but you mentioned that
for this case the filter was the better way to do this.

Any insight would be appreciated.

Thanks!

On Mon, Aug 20, 2012 at 9:42 AM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 16, 2012, at 5:32 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>
>> redef record rec += {
>>        foo: Info &optional;
>> };
>
>> error in ./test.bro, line 22: unknown identifier (Foo::rec)
>> error in ./test.bro, line 35 and ./test.bro, line 39: already defined (Foo::rec)
>
> I don't think you need that little chunk of code I left above.  We do that in many base scripts as a way of hiding protocol specific information within the connection record.  There is no existing record type named "rec" though and it doesn't look like you need to hide this information anywhere since you are deriving all of your log directly from data in the DNS::log_dns event.
>
> There is a better way to do this though and it was something we specifically considered in the logging framework.  Here's a log filter you can run that will give you the log you want…
>
> event bro_init()
>         {
>         local filter: Log::Filter = [
>                 $name="only-1.2.3.4",
>                 $path="foo",
>                 $pred(rec: DNS::Info) = {
>                         if ( rec?$qtype_name && rec?$answers &&
>                              rec$qtype_name == "A" )
>                                 {
>                                 for ( i in rec$answers )
>                                         if ( "1.2.3.4" in rec$answers[i] )
>                                                 return T;
>                                 }
>                         return F;
>                 },
>                 $include=set("ts", "uid", "id.orig_h", "query")];
>         Log::add_filter(DNS::LOG, filter);
>         }
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
cat ~/.bash_history > documentation.txt




More information about the Bro mailing list