[Bro] Bro Digest, Vol 110, Issue 35

Adam Hall abhall1 at yahoo.com
Thu Jun 25 17:14:43 PDT 2015


Hey Michael,
   I tried to stick to what you had and assumed this rest.  I got it to work and here is what I had.
type Bandwidth: record {        pair: string &log;        bytesIn: count &log;        bytesOut: count &log;};
global bandwidth: set[Bandwidth];
event connection_state_remove(c: connection){
local mypair=fmt("%s,%s",c$id$orig_h,c$id$resp_h);
local bin= c$orig$size;
local bout= c$resp$size;
local thispair: Bandwidth;
thispair$pair = mypair;thispair$bytesIn = bin;thispair$bytesOut = bout;
if (thispair in bandwidth)        print fmt("My pair %s",thispair);else{        print fmt("My pair 2 %s",thispair);        add bandwidth[thispair];}
}
Here are results:
My pair 2 [pair=2601:347:c200:xxx:xxx:xxx:xxx:xxx,2607:f8b0:xxx:xxx::xxx, bytesIn=2737, bytesOut=1350]My pair [pair=192.168.x.x,224.0.0.252, bytesIn=54, bytesOut=0]
I don't think any bytes will return NULL, but you may want to consider doing " &log &optional ".Also... this was ran on bro-2.4.
Hope this helps!
RedLight

      From: "bro-request at bro.org" <bro-request at bro.org>
 To: bro at bro.org 
 Sent: Thursday, June 25, 2015 3:00 PM
 Subject: Bro Digest, Vol 110, Issue 35
   
Send Bro mailing list submissions to
    bro at bro.org

To subscribe or unsubscribe via the World Wide Web, visit
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
    bro-request at bro.org

You can reach the person managing the list at
    bro-owner at bro.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."


Today's Topics:

  1. Record use (Michael Black)


----------------------------------------------------------------------

Message: 1
Date: Thu, 25 Jun 2015 13:21:22 -0500
From: "Michael Black" <mdblack98 at yahoo.com>
Subject: [Bro] Record use
To: <bro at bro-ids.org>
Message-ID: <085f01d0af73$bdac2620$39047260$@yahoo.com>
Content-Type: text/plain;    charset="us-ascii"

I'm trying to keep a count of total bytes between IP pairs.
Type Bandwidht: record {
    pair: string &log;
    bytesIn: count &log;
    bytesOut: count &log;
};
global bandwidth: set[Bandwidth];

If all I have in the record is just "pair" this works OK.
local mypair = fmt("%s,%s",c$id$orig_h,c$id$resp_h);
local thispair: Bandwidth;
thispair$pair = mypair;
if (thispair in bandwidth)
..do stuff
else {
    add bandwidth[thispair];
}


But.if I add the bytes In/Out to the record and thispair it never finds
thispair in bandwidth as though it's looking for match on bytes too.
I assume there's a simple solution.

Can't seem to find a reference on the syntax.

Thanks
Mike




------------------------------

_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


End of Bro Digest, Vol 110, Issue 35
************************************


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150626/da306137/attachment.html 


More information about the Bro mailing list