[Bro] How to use the source address as the vector index

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Sun Mar 9 07:29:04 PDT 2014


Look here:  https://www.bro.org/sphinx-git/scripting/index.html#data-types-revisited

I'm relatively new to Bro as well so if I am wrong or this can be done a better way please someone correct me.

The connection record holds information on the current connection only.  It is not an array of all connections.  To do what I think you are trying to do I would create another record and then an array of that record.  Something like this.

global dns_info: table[addr] of string;

This creates a table referenced by IP addresses.

Then you can use dns_info[c$id$orig_h] = query

The record definition would be:

type dns_rec: record {
dns_info: vector of string
};

global dns_stuff:  table[addr] of dns_rec

The above will yield a table of dns_recs.  You can add other fields into the record that you need.  This table of dns_rec can be referenced by:

dns_stuff[c$id$orig]$dns_info

Hope I didn't miss your question entirely.


thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140309/6cc18333/attachment.html 


More information about the Bro mailing list