[Bro] Adding a human-readable timestamp field.
Dani Witherspoon
punchpernickle at gmail.com
Thu Aug 8 09:30:40 PDT 2013
No worries! This only works for HTTP logs -- you'd have to edit it for
other protocols, which I've done for SSL, FTP, and SSH. I've included those
scripts below, in case anybody else would like to use them. Let me know if
any issues crop up, or if the coding isn't in the bro-spirit. :)
# File:
human_time_ftp.bro
@load base/protocols/ftp
module FTP;
export {
redef record Info += {
## A human-readable timestamp
human_time: string &log &optional;
};
}
event ftp_request(c: connection , command: string , arg: string)
{
local format: string = "%F, %H:%M:%S";
c$ftp$human_time = strftime(format, c$ftp$ts);
}
--------------------------
# File: human_time_ssl
@load base/protocols/ssl
module SSL;
export {
redef record Info += {
## A human-readable timestamp
human_time: string &log &optional;
};
}
event ssl_established(c: connection)
{
local format: string = "%F, %H:%M:%S";
c$ssl$human_time = strftime(format, c$ssl$ts);
}
-----------------------------
# File: human_time_ssh
@load base/protocols/ssh
module SSH;
export {
redef record Info += {
## A human-readable timestamp
human_time: string &log &optional;
};
}
event ssh_client_version(c: connection , version: string)
{
local format: string = "%F, %H:%M:%S";
c$ssh$human_time = strftime(format, c$ssh$ts);
}
-----------------------
etc, etc, etc -- I'm sure you see how you could continue extending it to
other protocols! Best of luck. :)
On Thu, Aug 8, 2013 at 12:09 PM, Harrison Wood <harrison.wood at gmail.com>wrote:
> Thanks for posting your script! I just added it to my install so I can
> stop doing date -d@ all the time.
>
>
> On Thu, Aug 8, 2013 at 8:10 AM, Dani Witherspoon <punchpernickle at gmail.com
> > wrote:
>
>> Thank you so much, Justin! This did the trick -- I really appreciate the
>> guidance!
>>
>> If anybody's interested, here's the working bro-code:
>>
>>
>> @load base/protocols/http
>>
>> module HTTP;
>>
>> export {
>> redef record Info += {
>> ## A human-readable timestamp
>> human_time: string &log &optional;
>> };
>> }
>>
>> event http_request(c: connection, method: string, original_URI: string,
>> unescaped_URI: string, version: string)
>> {
>> local format: string = "%F, %H:%M";
>> c$http$human_time = strftime(format, c$http$ts);
>> }
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Aug 7, 2013 at 1:48 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>>
>>> On Wed, Aug 07, 2013 at 12:07:03PM -0400, Dani Witherspoon wrote:
>>> > event time_translate(c: connection, rec: HTTP::Info)
>>> > {
>>> > local format: string = "%F-%H-%M";
>>> > c$http$human_time = strftime(format, rec$ts);
>>> > }
>>> >
>>>
>>> You're right up to here.. the problem is nothing will trigger the
>>> time_translate event. You need to use one of the existing events that
>>> will fire for http connections.
>>>
>>> I would try:
>>>
>>> event HTTP::log_http(rec: HTTP::Info)
>>> {
>>> ..
>>> }
>>>
>>> I believe that fires just before the entry is logged, if that doesn't
>>> work an event like connection_established or http_request would
>>> definitely work.
>>>
>>> --
>>> -- Justin Azoff
>>> -- Network Security & Performance Analyst
>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130808/6cb3152a/attachment.html
More information about the Bro
mailing list