[Bro] SumStats framework

Xu Zhang zhangxu1115 at gmail.com
Thu Jul 13 14:51:40 PDT 2017


Hi Anthony,
I have not finished the whole script yet.
But Basically it is
event bro_init()
{
local r: set[SumStats::Reducer];
local chellos = SumStats::Reducer($stream="client_hello_num",
$apply=set(SumStats::SUM));
add r[chellos];
local shellos = SumStats::Reducer($stream="server_hello_num",
$apply=set(SumStats::SUM));
add r[shellos];
..... (a couple of other reducers )

SumStats::create([$name = "ssl stats",
                              $epoch = 1hr,
                              $reducers = r,
                              $epoch_result(ts: time, key: SumStats::Key,
result: SumStats::Result) =
                              {
                               if ("client_hello_num" in result)
                                     bla;
                                if ("server_hello_num" in result)
                                     bla;
                               ......(a couple of IFs)
                              }]);
}


On Thu, Jul 13, 2017 at 2:40 PM, anthony kasza <anthony.kasza at gmail.com>
wrote:

> Hi Xu,
>
> Can you share the script you've written?
>
> -AK
>
> On Jul 13, 2017 10:52 AM, "Xu Zhang" <zhangxu1115 at gmail.com> wrote:
>
>> Hi,
>>
>> I'm using SumStats framework to record features in the SSL handshake
>> packets. There are lots of features (30+) I need to record and I created a
>> reducer for each feature. In the   SumStats::create(), I check if
>> "feature_x" in result, and record result["feature_x"]$num. However, the
>> SumStats::create function looks absurdly long. My question is: is it more
>> efficient to break up the current SumStats::create function into multiple
>> (each only have one reducer), or is it better to keep the code I currently
>> have? Which one is faster?
>>
>> Thanks a lot!
>>
>> --
>> Sincerely,
>> Xu Zhang
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>


-- 
Sincerely,
Xu Zhang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170713/25cd29da/attachment.html 


More information about the Bro mailing list