[Bro] Question regarding an error
Justin Azoff
JAzoff at albany.edu
Wed Oct 30 13:31:37 PDT 2013
On Wed, Oct 30, 2013 at 08:08:58PM +0000, Rosebraugh, Connar wrote:
> type ConnDelta: record{
> #time connection was last seen.
> #consider updating to a set, and taking the stdev of the times
> lastSeen: time;
> delta: interval;
> };
>
> function update_time(t: time, c: ConnDelta): interval
> {
> c$delta = c$lastSeen - t;
> c$lastSeen = t;
> }
>
> #event bro_init()
> #{
> # local t1 = current_time();
> # local t2 = network_time();
> # local t3: interval = t1 - t2;
> #
> # print t1;
> # print t2;
> # print t3;
> #}
>
> local connection_deltas: table[addr, addr, port] of ConnDelta;
This needs to be 'global' not 'local'. Possibly a parser bug that it
doesn't return a more helpful error message since it clearly gets
confused.
> @load base/protocols/conn
>
> #event new_connection(c: connection)
> event new_connection(c: connection)
> {
> update_time(c$start_time, connection_deltas[c$id$orig_h, c$id$resp_h, c$id$resp_p]);
> }
The next problem you will run into is that you need to set &default for
connection_deltas that returns a default ConnDelta object for the first
time that this tuple is seen.
> event bro_done()
> {
> #print connection_deltas;
> }
>
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list