[Bro] Bro Digest, Vol 110, Issue 35
Adam Hall
abhall1 at yahoo.com
Thu Jun 25 17:14:43 PDT 2015
Hey Michael,
I tried to stick to what you had and assumed this rest. I got it to work and here is what I had.
type Bandwidth: record { pair: string &log; bytesIn: count &log; bytesOut: count &log;};
global bandwidth: set[Bandwidth];
event connection_state_remove(c: connection){
local mypair=fmt("%s,%s",c$id$orig_h,c$id$resp_h);
local bin= c$orig$size;
local bout= c$resp$size;
local thispair: Bandwidth;
thispair$pair = mypair;thispair$bytesIn = bin;thispair$bytesOut = bout;
if (thispair in bandwidth) print fmt("My pair %s",thispair);else{ print fmt("My pair 2 %s",thispair); add bandwidth[thispair];}
}
Here are results:
My pair 2 [pair=2601:347:c200:xxx:xxx:xxx:xxx:xxx,2607:f8b0:xxx:xxx::xxx, bytesIn=2737, bytesOut=1350]My pair [pair=192.168.x.x,224.0.0.252, bytesIn=54, bytesOut=0]
I don't think any bytes will return NULL, but you may want to consider doing " &log &optional ".Also... this was ran on bro-2.4.
Hope this helps!
RedLight
From: "bro-request at bro.org" <bro-request at bro.org>
To: bro at bro.org
Sent: Thursday, June 25, 2015 3:00 PM
Subject: Bro Digest, Vol 110, Issue 35
Send Bro mailing list submissions to
bro at bro.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
bro-request at bro.org
You can reach the person managing the list at
bro-owner at bro.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."
Today's Topics:
1. Record use (Michael Black)
----------------------------------------------------------------------
Message: 1
Date: Thu, 25 Jun 2015 13:21:22 -0500
From: "Michael Black" <mdblack98 at yahoo.com>
Subject: [Bro] Record use
To: <bro at bro-ids.org>
Message-ID: <085f01d0af73$bdac2620$39047260$@yahoo.com>
Content-Type: text/plain; charset="us-ascii"
I'm trying to keep a count of total bytes between IP pairs.
Type Bandwidht: record {
pair: string &log;
bytesIn: count &log;
bytesOut: count &log;
};
global bandwidth: set[Bandwidth];
If all I have in the record is just "pair" this works OK.
local mypair = fmt("%s,%s",c$id$orig_h,c$id$resp_h);
local thispair: Bandwidth;
thispair$pair = mypair;
if (thispair in bandwidth)
..do stuff
else {
add bandwidth[thispair];
}
But.if I add the bytes In/Out to the record and thispair it never finds
thispair in bandwidth as though it's looking for match on bytes too.
I assume there's a simple solution.
Can't seem to find a reference on the syntax.
Thanks
Mike
------------------------------
_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
End of Bro Digest, Vol 110, Issue 35
************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150626/da306137/attachment.html
More information about the Bro
mailing list