[Bro] intel log fields adding and processing

ps sunu pssunu6 at gmail.com
Thu Jan 26 00:39:30 PST 2017


Thanks

            Now i need to write the  if condition output into Intel.log
 category field which i have added in intel.log

my latest code


@load frameworks/intel/seen

export {

redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};

redef record Intel::Info += {
    category: string &optional &log;
    attribute: string &log &optional;


  };
}

event Intel::log_intel (rec: Intel::Info)
{

    if ( rec$seen$where == HTTP::IN_HOST_HEADER )
{
print "True";
}
else
{
    print "False ";
}
    print "rec$seen$where is", rec$seen$where;


}

       I need if condition True string into intel.log category field its
possible   ?

http://try.bro.org/#/trybro/saved/118899



Regards,
Sunu

On Thu, Jan 26, 2017 at 1:35 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
> >
> > Hi,
> >                       I  have a script which will add one  field in
> intel.log, that part is working
> > now i want  read the output from intel.log  seen.where  field  example
> if seen.where is  HTTP::IN_HOST_HEADER  and i need to write "itsOk" into my
> intel.log new field
> >
> >          the problem is i am not able to get seen.where field output
> >
>
> The main issue is that the log_intel event is called with a Intel::Info,
> not an Intel::Seen.
>
> seen.where is the representation of the info record$seen$where field, so
> you need to do something like this:
>
> event Intel::log_intel (rec: Intel::Info)
> {
>     print "rec$seen$where is", rec$seen$where;
> }
>
> http://try.bro.org/#/trybro/saved/118697
>
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/bba34690/attachment.html 


More information about the Bro mailing list