[Bro] intel.log extra log

ps sunu pssunu6 at gmail.com
Wed Apr 12 23:55:11 PDT 2017 

i solved the problem

On Thu, Apr 13, 2017 at 11:19 AM, ps sunu <pssunu6 at gmail.com> wrote:

> Hi,
>
>                  i need to generate intel log content into  separate logs
>  , i generated except one field
> i am not able to get "source" field into separate log, any idea tp do this
>
>
> my main file
> @load frameworks/intel/seen
>
> redef Intel::read_files += {
> fmt("%s/intel-1.dat", @DIR)
> };
>
> @load ./field.bro
> #redef LogAscii::use_json=T;
>
>
> event Intel::log_intel (rec: Intel::Info)
>
>
> {
>  #  Log::create_stream(Factor::LOG, [$columns=Factor::Info,
> $path="intel_trigger"]);
>     if ( rec$seen$where == HTTP::IN_HOST_HEADER )
>                                         {
>     #      print "ssss",rec$seen;
>
>                 Log::write(Match::LOG,[$ts=network_time(),$uid=rec$seen$
> uid,$id=rec$seen$conn$id,$seen_indicator=rec$seen$
> indicator,$seen_indicator_type=rec$seen$indicator_type,$
> seen_where=rec$seen$where,$seen_node=rec$seen$node,$
> matched=rec$seen$indicator_type ]);
>                         print "ssssssss",rec$seen;
>
>
> }
> }
> event bro_init ()
>
> {
>     Log::create_stream(Match::LOG, [$columns=Match::Info,
> $path="intel_tech"]);
>
>
>     }
>
>
> field.bro
> module Match;
>
> export {
>     # Append the value LOG to the Log::ID enumerable.
>     redef enum Log::ID += { LOG };
>
>     type Type: enum {
>                 ## An IP address.
>                 ADDR,
>                 ## A complete URL without the prefix ``"http://"``.
>                 URL,
>                 ## Software name.
>                 SOFTWARE,
>                 ## Email address.
>                 EMAIL,
>                 ## DNS domain name.
>                 DOMAIN,
>                 ## A user name.
>                 USER_NAME,
>                 ## File hash which is non-hash type specific.  It's up to
> the
>                 ## user to query for any relevant hash types.
>                 FILE_HASH,
>                 ## File name.  Typically with protocols with definite
>                 ## indications of a file name.
>                 FILE_NAME,
>                 ## Certificate SHA-1 hash.
>                 CERT_HASH,
>                 ## Public key MD5 hash. (SSH server host keys are a good
> example.)
>                 PUBKEY_HASH,
>         };
>
> type Where: enum {
>                 ## A catchall value to represent data of unknown
> provenance.
>                 IN_ANYWHERE,
>         };
>
>
>     # Define a new type called Factor::Info.
>     type Info: record {
>           ts: time        &log;
>           uid : string &log;
>           id: conn_id     &log;
>           seen_indicator: string &log;
>           seen_indicator_type:  Type          &log &optional;
>           seen_where : Where &log;
>           seen_node : string &log;
>          matched:Type        &log &optional;
>
>
>         };
>     }
>
>
> i need  intel-1.dat file
>
> www.reddit.com Intel::DOMAIN *my_special_source    -->> into source
> field *
>
>
> *http://try.bro.org/#/trybro/saved/138000
> <http://try.bro.org/#/trybro/saved/138000>*
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170413/0b8124bd/attachment-0001.html

More information about the Bro mailing list