[Bro] intel log fields adding and processing
ps sunu
pssunu6 at gmail.com
Thu Jan 26 00:39:30 PST 2017
Thanks
Now i need to write the if condition output into Intel.log
category field which i have added in intel.log
my latest code
@load frameworks/intel/seen
export {
redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};
redef record Intel::Info += {
category: string &optional &log;
attribute: string &log &optional;
};
}
event Intel::log_intel (rec: Intel::Info)
{
if ( rec$seen$where == HTTP::IN_HOST_HEADER )
{
print "True";
}
else
{
print "False ";
}
print "rec$seen$where is", rec$seen$where;
}
I need if condition True string into intel.log category field its
possible ?
http://try.bro.org/#/trybro/saved/118899
Regards,
Sunu
On Thu, Jan 26, 2017 at 1:35 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
> >
> > Hi,
> > I have a script which will add one field in
> intel.log, that part is working
> > now i want read the output from intel.log seen.where field example
> if seen.where is HTTP::IN_HOST_HEADER and i need to write "itsOk" into my
> intel.log new field
> >
> > the problem is i am not able to get seen.where field output
> >
>
> The main issue is that the log_intel event is called with a Intel::Info,
> not an Intel::Seen.
>
> seen.where is the representation of the info record$seen$where field, so
> you need to do something like this:
>
> event Intel::log_intel (rec: Intel::Info)
> {
> print "rec$seen$where is", rec$seen$where;
> }
>
> http://try.bro.org/#/trybro/saved/118697
>
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/bba34690/attachment.html
More information about the Bro
mailing list