[Bro] SumStats framework

Xu Zhang zhangxu1115 at gmail.com
Fri Jul 14 11:26:35 PDT 2017


Sorry I did not provide enough information for my problem. You approach
would work for client hello and server hello. But for other features, i
need to record the value: for example
event ssl_server_hello(...)
{
SumStats::observe("server_hello_version",[$str=SSL::version_strings[version]],[$num=1]);

}
I'm using the key field to keep the actual value of that feature. So I
cannot reuse the same reducer "ssl_events" because it will lose the actual
value of that feature.
SumStats::observe("ssl_events",[$str="server_hello_version"],[$num=1]);

On Fri, Jul 14, 2017 at 10:35 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Jul 14, 2017, at 1:02 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
> >
> > Hi,
> > Just make sure I understand correctly. So you are saying make a couple
> of SumStats::create(), each SumStat::create() has only one reducer.
> > Could you give an example of "looking at 'key' inside of the reducer,
> not result"?
> > Thanks a lot!
>
> No.. I'm saying that you should have a single create.
>
> By looking at the key I mean use the 'key' variable that is present in the
> epoch_result function.
>
> Attached is a script I wrote a few years ago.  It lets you track arbitrary
> statistics using sumstats - but it should only be used for a finite number
> of 'key' values... 1-500 keys would be ok.. using something like an
> id.orig_h as a key will break sumstats.
>
>
> To use it you can just do
>
> event ssl_server_hello(c: connection, version: count, possible_ts: time,
> server_random: string, session_id: string, cipher: count, comp_method:
> count)
> {
>     StatMetrics::increment("server_hello", 1);
> }
>
> event ssl_client_hello(c: connection, version: count, possible_ts: time,
> client_random: string, session_id: string, ciphers: index_vec)
> {
>     StatMetrics::increment("client_hello", 1);
>
> }
>
>
>
> --
> - Justin Azoff
>
>


-- 
Sincerely,
Xu Zhang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/6903fc6b/attachment-0001.html 


More information about the Bro mailing list