[Bro] intel log fields adding and processing

ps sunu pssunu6 at gmail.com
Thu Jan 26 09:53:11 PST 2017 

Thanks i solved the problem



On Thu, Jan 26, 2017 at 2:09 PM, ps sunu <pssunu6 at gmail.com> wrote:

> Thanks
>
>             Now i need to write the  if condition output into Intel.log
>  category field which i have added in intel.log
>
> my latest code
>
>
> @load frameworks/intel/seen
>
> export {
>
> redef Intel::read_files += {
> fmt("%s/intel-1.dat", @DIR)
> };
>
> redef record Intel::Info += {
>     category: string &optional &log;
>     attribute: string &log &optional;
>
>
>   };
> }
>
> event Intel::log_intel (rec: Intel::Info)
> {
>
>     if ( rec$seen$where == HTTP::IN_HOST_HEADER )
> {
> print "True";
> }
> else
> {
>     print "False ";
> }
>     print "rec$seen$where is", rec$seen$where;
>
>
> }
>
>        I need if condition True string into intel.log category field its
> possible   ?
>
> http://try.bro.org/#/trybro/saved/118899
>
>
>
> Regards,
> Sunu
>
> On Thu, Jan 26, 2017 at 1:35 AM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
>> >
>> > Hi,
>> >                       I  have a script which will add one  field in
>> intel.log, that part is working
>> > now i want  read the output from intel.log  seen.where  field  example
>> if seen.where is  HTTP::IN_HOST_HEADER  and i need to write "itsOk" into my
>> intel.log new field
>> >
>> >          the problem is i am not able to get seen.where field output
>> >
>>
>> The main issue is that the log_intel event is called with a Intel::Info,
>> not an Intel::Seen.
>>
>> seen.where is the representation of the info record$seen$where field, so
>> you need to do something like this:
>>
>> event Intel::log_intel (rec: Intel::Info)
>> {
>>     print "rec$seen$where is", rec$seen$where;
>> }
>>
>> http://try.bro.org/#/trybro/saved/118697
>>
>>
>>
>> --
>> - Justin Azoff
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/36b88915/attachment.html

More information about the Bro mailing list