[Bro] SumStats framework
zhangxu1115 at gmail.com
Fri Jul 14 11:26:35 PDT 2017
Sorry I did not provide enough information for my problem. You approach
would work for client hello and server hello. But for other features, i
need to record the value: for example
I'm using the key field to keep the actual value of that feature. So I
cannot reuse the same reducer "ssl_events" because it will lose the actual
value of that feature.
On Fri, Jul 14, 2017 at 10:35 AM, Azoff, Justin S <jazoff at illinois.edu>
> > On Jul 14, 2017, at 1:02 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
> > Hi,
> > Just make sure I understand correctly. So you are saying make a couple
> of SumStats::create(), each SumStat::create() has only one reducer.
> > Could you give an example of "looking at 'key' inside of the reducer,
> not result"?
> > Thanks a lot!
> No.. I'm saying that you should have a single create.
> By looking at the key I mean use the 'key' variable that is present in the
> epoch_result function.
> Attached is a script I wrote a few years ago. It lets you track arbitrary
> statistics using sumstats - but it should only be used for a finite number
> of 'key' values... 1-500 keys would be ok.. using something like an
> id.orig_h as a key will break sumstats.
> To use it you can just do
> event ssl_server_hello(c: connection, version: count, possible_ts: time,
> server_random: string, session_id: string, cipher: count, comp_method:
> StatMetrics::increment("server_hello", 1);
> event ssl_client_hello(c: connection, version: count, possible_ts: time,
> client_random: string, session_id: string, ciphers: index_vec)
> StatMetrics::increment("client_hello", 1);
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro