[Bro] intel log fields adding and processing

Azoff, Justin S jazoff at illinois.edu
Wed Jan 25 12:05:39 PST 2017

> On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
> Hi,
>                       I  have a script which will add one  field in intel.log, that part is working 
> now i want  read the output from intel.log  seen.where  field  example  if seen.where is  HTTP::IN_HOST_HEADER  and i need to write "itsOk" into my intel.log new field
>          the problem is i am not able to get seen.where field output 

The main issue is that the log_intel event is called with a Intel::Info, not an Intel::Seen.

seen.where is the representation of the info record$seen$where field, so you need to do something like this:

event Intel::log_intel (rec: Intel::Info)
    print "rec$seen$where is", rec$seen$where;


- Justin Azoff

More information about the Bro mailing list