[Bro] Converting a Bro Script to A New Stream
Seth Hall
seth at icir.org
Mon Aug 20 07:42:01 PDT 2012
On Aug 16, 2012, at 5:32 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
> redef record rec += {
> foo: Info &optional;
> };
> error in ./test.bro, line 22: unknown identifier (Foo::rec)
> error in ./test.bro, line 35 and ./test.bro, line 39: already defined (Foo::rec)
I don't think you need that little chunk of code I left above. We do that in many base scripts as a way of hiding protocol specific information within the connection record. There is no existing record type named "rec" though and it doesn't look like you need to hide this information anywhere since you are deriving all of your log directly from data in the DNS::log_dns event.
There is a better way to do this though and it was something we specifically considered in the logging framework. Here's a log filter you can run that will give you the log you want…
event bro_init()
{
local filter: Log::Filter = [
$name="only-1.2.3.4",
$path="foo",
$pred(rec: DNS::Info) = {
if ( rec?$qtype_name && rec?$answers &&
rec$qtype_name == "A" )
{
for ( i in rec$answers )
if ( "1.2.3.4" in rec$answers[i] )
return T;
}
return F;
},
$include=set("ts", "uid", "id.orig_h", "query")];
Log::add_filter(DNS::LOG, filter);
}
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list