[Bro] Bro programming intro
Tritium Cat
tritium.cat at gmail.com
Tue Mar 19 13:29:06 PDT 2013
Thanks for the detail and examples. Makes more sense when you consider a
single Bro process.
On Tue, Mar 19, 2013 at 12:41 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 19, 2013, at 2:18 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
>
> > Another thing I would like to do is tag every orig_h and resp_h with
> additional identifiers relative to the prefix, sorta like BGP ASNs. I
> usually use a Patricia-Trie for this. Is there a special data type and BiF
> I should consider ?
>
> You got the right section in the logging framework docs. I'll give an
> example if you want to add ASN like you mentioned as an example...
>
> redef record Conn::Log += {
> orig_asn: count &log &optional;
> resp_asn: count &log &optional;
> };
>
> event connection_established(c: connection)
> {
> c$conn$orig_asn = lookup_asn(c$id$orig_h);
> c$conn$resp_asn = lookup_asn(c$id$resp_h);
> }
>
> You need to have the MaxMind ASN database in place for the lookup_asn
> function to work. Anyway, it's pretty easy. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130319/fca4ba02/attachment.html
More information about the Bro
mailing list