[Bro] Bro programming intro
Seth Hall
seth at icir.org
Tue Mar 19 12:41:48 PDT 2013
On Mar 19, 2013, at 2:18 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
> Another thing I would like to do is tag every orig_h and resp_h with additional identifiers relative to the prefix, sorta like BGP ASNs. I usually use a Patricia-Trie for this. Is there a special data type and BiF I should consider ?
You got the right section in the logging framework docs. I'll give an example if you want to add ASN like you mentioned as an example...
redef record Conn::Log += {
orig_asn: count &log &optional;
resp_asn: count &log &optional;
};
event connection_established(c: connection)
{
c$conn$orig_asn = lookup_asn(c$id$orig_h);
c$conn$resp_asn = lookup_asn(c$id$resp_h);
}
You need to have the MaxMind ASN database in place for the lookup_asn function to work. Anyway, it's pretty easy. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list