[Bro] intel.log extra log

ps sunu pssunu6 at gmail.com
Wed Apr 12 22:49:52 PDT 2017 

Hi,

                 i need to generate intel log content into  separate logs
 , i generated except one field
i am not able to get "source" field into separate log, any idea tp do this


my main file
@load frameworks/intel/seen

redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};

@load ./field.bro
#redef LogAscii::use_json=T;


event Intel::log_intel (rec: Intel::Info)


{
 #  Log::create_stream(Factor::LOG, [$columns=Factor::Info,
$path="intel_trigger"]);
    if ( rec$seen$where == HTTP::IN_HOST_HEADER )
                                        {
    #      print "ssss",rec$seen;


Log::write(Match::LOG,[$ts=network_time(),$uid=rec$seen$uid,$id=rec$seen$conn$id,$seen_indicator=rec$seen$indicator,$seen_indicator_type=rec$seen$indicator_type,$seen_where=rec$seen$where,$seen_node=rec$seen$node,$matched=rec$seen$indicator_type
]);
                        print "ssssssss",rec$seen;


}
}
event bro_init ()

{
    Log::create_stream(Match::LOG, [$columns=Match::Info,
$path="intel_tech"]);


    }


field.bro
module Match;

export {
    # Append the value LOG to the Log::ID enumerable.
    redef enum Log::ID += { LOG };

    type Type: enum {
                ## An IP address.
                ADDR,
                ## A complete URL without the prefix ``"http://"``.
                URL,
                ## Software name.
                SOFTWARE,
                ## Email address.
                EMAIL,
                ## DNS domain name.
                DOMAIN,
                ## A user name.
                USER_NAME,
                ## File hash which is non-hash type specific.  It's up to
the
                ## user to query for any relevant hash types.
                FILE_HASH,
                ## File name.  Typically with protocols with definite
                ## indications of a file name.
                FILE_NAME,
                ## Certificate SHA-1 hash.
                CERT_HASH,
                ## Public key MD5 hash. (SSH server host keys are a good
example.)
                PUBKEY_HASH,
        };

type Where: enum {
                ## A catchall value to represent data of unknown provenance.
                IN_ANYWHERE,
        };


    # Define a new type called Factor::Info.
    type Info: record {
          ts: time        &log;
          uid : string &log;
          id: conn_id     &log;
          seen_indicator: string &log;
          seen_indicator_type:  Type          &log &optional;
          seen_where : Where &log;
          seen_node : string &log;
         matched:Type        &log &optional;


        };
    }


i need  intel-1.dat file

www.reddit.com Intel::DOMAIN *my_special_source    -->> into source field *


*http://try.bro.org/#/trybro/saved/138000
<http://try.bro.org/#/trybro/saved/138000>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170413/4ad31a42/attachment.html

More information about the Bro mailing list