[Bro-Dev] current_time() vs network_time()

Thu Nov 19 14:42:37 PST 2015

> I'm not sure what you have available but to generate the unix timestamp
> I would use localtime() or gmtime() (using gmtime() avoids daylight

Here is the function I am now using (sharing - might be useful to improve upon)

Index: ../../all-check.bro
===================================================================
--- ../../all-check.bro (revision 819)
+++ ../../all-check.bro (working copy)

+function next_report_time():time
+{
+       local kv_splitter: pattern = /[\ \t]+/;
+        local one_space: string = " ";

+       local _report_hours: vector of count = {0, 10, 12, 14, 16, 23};
+
+       local t = current_time();
+       local _now_h = to_count(strftime("%H", t));
+
+       local _next_report_hour : count = 0 ;
+
+       for (h in _report_hours)
+       {
+               print fmt ("now_h is %s, H is %s", _now_h, _report_hours[h]) ;
+               if (_now_h < _report_hours[h])
+               {
+                       _next_report_hour = _report_hours[h]  ; break;
+               }
+       }
+
+       local t_year = strftime("%Y",t);
+       local t_zone = strftime("%Z",t);
+       local zone_year_month_day = strftime("%Z %Y %b %d", t);
+
+       local _hour = _next_report_hour ;
+	local _min = "00" ;
+       local _sec = "00" ;
+
+       local _t_string = fmt ("%s %s:%s:%s", zone_year_month_day, _hour,_min,_sec );
+
+       local _next_report_time = fmt ("time is :  %s, %s", strftime("%Z %Y %b %d %T", t), _t_string) ;
+
+       local parse_string: string = "%Z %Y %b %d %H:%M:%S";
+       local date_mod = fmt("%s", _t_string);
+       local date_mod_p = gsub(date_mod, kv_splitter, one_space);
+       local ret_val = strptime(parse_string, date_mod_p);
+
+       return ret_val ;
+}
+

And then basically: 

event bro_init() &priority=10
{

+	nrt =  next_report_time() ;

} 


event report_allcheck()
 {

 +       #if((report_hour == 0 || report_hour == 10 || report_hour == 12 || report_hour == 14
 +                       ##|| report_hour == 16 || report_hour == 23)  && report_min == 0 && report_sec == 0)
 +
 +if (current_time() > nrt)
  {
  +       nrt = next_report_time();

  } 
 } 


On Wed, Nov 18, 2015 at 11:34:39AM -0800, Craig Leres wrote:
> On 11/18/2015 10:58 AM, Aashish Sharma wrote:
> > So, I am trying to have bro send me report/alerts at specific timeslots. 
> > 
> > Given current_time is the wall-clock time, I am relying on current_time() function to get time and then, my code is : if (hh:mm:ss == desired time), run a report. 
> 
> My recommendation for how to implement this would be to calculate a unix
> timestamp (seconds since 1970) that corresponds to the next time you
> want send a report and then poll for when time() is >= this value. After
> sending the report, calculate the next timestamp.
> 
> I'm not sure what you have available but to generate the unix timestamp
> I would use localtime() or gmtime() (using gmtime() avoids daylight
> saving time issues) to break out the fields, set the H, M and S to the
> desired values and then use mktime() (or timegm()) to convert back to a
> unix timestamp.
> 
> Craig