[Bro] adding srcip to correlation script

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Jan 2 08:46:34 PST 2015


I’m working with the correlation script released by CrowdStrike, thank you BTW, and I want to populated the “srcip” field with the correct source IP so that I can do a groupby on that field in ELSA.  How do I get the conn record for this connection into the below function so that I can add $conn=c to the notice?  Not sure what the best way to do this is; can I just add it to the function arguments or define “c” as a local and then assign the source IP, “idx” in this case, to c$id$orig_h.



function alerts_out(t: table[addr] of set[string], idx: addr): interval





thanks,

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150102/1bbf6455/attachment.html 


More information about the Bro mailing list