[Bro] Bro programming intro
Siwek, Jonathan Luke
jsiwek at illinois.edu
Tue Mar 19 11:56:18 PDT 2013
> Another thing I would like to do is tag every orig_h and resp_h with additional identifiers relative to the prefix, sorta like BGP ASNs. I usually use a Patricia-Trie for this. Is there a special data type and BiF I should consider ?
When indexed by the `subnet` type, the `set` and `table` types should be using a Patricia-Trie internally. So you might be able to use something like a `table[subnet] of MyTag` for mapping orig_h/resp_h to however you want to define the `MyTag` type (probably an enum would work).
> From the documentation on extending logging  it seems that is a bit beyond the scripting layer. I read about the input framework  and it seems it might work for this application but I'm not sure if this is best. What do you suggest ? I would like all logs that have an orig_h and/or resp_p to include the tags.
My opinion would be that extending the logging would be easier, but I don't know all the details of how you want to use it. The way I'm thinking, you'd basically do the same thing as the documentation describes, maybe start with conn.log:
(1) add a field to the Conn::Info record for the orig/resp tags
(2) pick a time at which to lookup the orig_h/resp_h in your tag table and assign them to the fields in a Conn::Info instance. Handling either the Conn::log_conn or connection_state_remove event to do this are some ideas.
Then you can see if it makes sense to extend other logs in a similar way or whether conn.log is adequate.
More information about the Bro