[Bro] Issues with data structures
Ben Mixon-Baca
bmixonb1 at cs.unm.edu
Fri Jul 22 14:18:00 PDT 2016
I figured it out. I wasn't performing a deep copy.
I changed the code to this, and now it is giving me what I was expoecting:
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local tmp: table[string] of count;
if ("prefix" in result)
{
local i = 0;
local payload = SumStats::key2str(key);
for (bytei in payload)
{
bytei = string_to_ascii_hex(bytei);
if (i !in BytePatterns::other_counts)
{
BytePatterns::other_counts[i] = copy(tmp);
}
if (bytei !in BytePatterns::other_counts[i])
{
BytePatterns::other_counts[i][bytei] = 0;
}
BytePatterns::other_counts[i][bytei] += 1;
i += 1;
}
}
On 07/22/2016 01:50 PM, Ben Mixon-Baca wrote:
> Hi,
>
> I am trying to build a 2D histogram based byte values in a tcp payload.
> I look at each byte independently. So I get 2^8 possible byte values
> which I use as a row index. the first 256 or so bytes of the payload as
> passed from the tcp_packet function are where I get this, and the
> specific byte position in the payload is suppose to give me the column
> index. I initially was trying the following using the with and without
> the SumStats framwork. The code below is with SumStats:
>
> module BytePatterns;
>
> export {
> global other_counts: vector of table[string] of count;
> }
>
> <Stuff>
> $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
> {
> local tmp: table[string] of count;
> if ("prefix" in result)
> {
> local i = 0;
> local payload = SumStats::key2str(key);
> for (bytei in payload)
> {
> bytei = string_to_ascii_hex(bytei);
> if (i !in BytePatterns::other_counts)
> {
> BytePatterns::other_counts[i] = tmp;
> }
> if (bytei !in BytePatterns::other_counts[i])
> {
> BytePatterns::other_counts[i][bytei] = 0;
> }
> BytePatterns::other_counts[i][bytei] += 1;
> i += 1;
> }
> }
>
> <Stuff>
>
> event tcp_packet(c: connection , is_orig: bool , flags: string , seq:
> count , ack: count , len: count , payload: string )
> {
> if (is_orig)
> {
> if (c$seen_syn == T)
> {
> c$acks += 1;
> if (c$acks == 2 && len > 0)
> {
> print fmt("%s", BytePatterns::eseen);
> SumStats::observe("prefix",[$str=payload], [$str=payload]);
> }
> }
> }
> }
>
>
> Based on other state, this event should only be getting 3 payloads with
> a trace file I made for testing. The column sum should therefore be 3
> for all columns, however, when I run this code, I am getting
> significantly larger counts.
>
> I am wondering if the way I am adding tables to the other_counts, data
> structure is somehow causing this behavior. Or possibly something with
> the way I am using SumStats and it is not doing what I think it is.
>
> Thank you in advance.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160722/6f3624f5/attachment.bin
More information about the Bro
mailing list