[Bro] How to use the source address as the vector index

anthony kasza anthony.kasza at gmail.com
Sun Mar 9 10:08:08 PDT 2014


Depending on what you are trying to do, you could also use a a table
of sets of DNS::Info records indexed by connection source addresses.
Just be careful not to let the table grow too large.

global dns_cache: table[addr] of set(DNS::Info);

DNS::Info records are the same records that get placed in dns log
files. Hope this helps!

-AK

On Sun, Mar 9, 2014 at 7:29 AM, Kellogg, Brian D (OLN)
<bkellogg at dresser-rand.com> wrote:
> Look here:
> https://www.bro.org/sphinx-git/scripting/index.html#data-types-revisited
>
> I'm relatively new to Bro as well so if I am wrong or this can be done a
> better way please someone correct me.
>
> The connection record holds information on the current connection only.  It
> is not an array of all connections.  To do what I think you are trying to do
> I would create another record and then an array of that record.  Something
> like this.
>
> global dns_info: table[addr] of string;
>
> This creates a table referenced by IP addresses.
>
> Then you can use dns_info[c$id$orig_h] = query
>
> The record definition would be:
>
> type dns_rec: record {
> dns_info: vector of string
> };
>
> global dns_stuff:  table[addr] of dns_rec
>
> The above will yield a table of dns_recs.  You can add other fields into the
> record that you need.  This table of dns_rec can be referenced by:
>
> dns_stuff[c$id$orig]$dns_info
>
> Hope I didn't miss your question entirely.
>
>
> thanks,
>
> Brian
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list