[Bro] intel log fields adding and processing
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 25 12:05:39 PST 2017
> On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
>
> Hi,
> I have a script which will add one field in intel.log, that part is working
> now i want read the output from intel.log seen.where field example if seen.where is HTTP::IN_HOST_HEADER and i need to write "itsOk" into my intel.log new field
>
> the problem is i am not able to get seen.where field output
>
The main issue is that the log_intel event is called with a Intel::Info, not an Intel::Seen.
seen.where is the representation of the info record$seen$where field, so you need to do something like this:
event Intel::log_intel (rec: Intel::Info)
{
print "rec$seen$where is", rec$seen$where;
}
http://try.bro.org/#/trybro/saved/118697
--
- Justin Azoff
More information about the Bro
mailing list