[Bro] intel log fields adding and processing

ps sunu pssunu6 at gmail.com
Wed Jan 25 11:59:06 PST 2017


Hi,
                      I  have a script which will add one  field in
intel.log, that part is working
now i want  read the output from intel.log  seen.where  field  example  if
seen.where is  HTTP::IN_HOST_HEADER  and i need to write "itsOk" into my
intel.log new field

         the problem is i am not able to get seen.where field output

my code

@load frameworks/intel/seen

export {
  global address: table[addr] of string &synchronized &write_expire=7day;


redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};


redef record Intel::Info += {
    category: string &optional &log;
    attribute: string &log &optional;


  };
}

event Intel::log_intel (rec: Intel::Seen)
{
  address[rec$host] = rec$where;
  host_name_dhcp[rec$assigned_ip] = rec$hostname;

}



        any way to do this ?


Regards,
sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/301887a2/attachment.html 


More information about the Bro mailing list