[Bro] intel log fields adding and processing
James Lay
jlay at slave-tothe-box.net
Thu Jan 26 09:56:07 PST 2017
Care to share the completed script?
James
On 2017-01-26 10:53, ps sunu wrote:
> Thanks i solved the problem
>
> On Thu, Jan 26, 2017 at 2:09 PM, ps sunu <pssunu6 at gmail.com> wrote:
>
>> Thanks
>>
>> Now i need to write the if condition output into
>> Intel.log category field which i have added in intel.log
>>
>> my latest code
>>
>> @load frameworks/intel/seen
>>
>> export {
>>
>> redef Intel::read_files += {
>> fmt("%s/intel-1.dat", @DIR)
>> };
>>
>> redef record Intel::Info += {
>> category: string &optional &log;
>> attribute: string &log &optional;
>>
>> };
>> }
>>
>> event Intel::log_intel (rec: Intel::Info)
>> {
>>
>> if ( rec$seen$where == HTTP::IN_HOST_HEADER )
>> {
>> print "True";
>> }
>> else
>> {
>> print "False ";
>> }
>>
>> print "rec$seen$where is", rec$seen$where;
>>
>> }
>>
>> I need if condition True string into intel.log category field
>> its possible ?
>>
>> http://try.bro.org/#/trybro/saved/118899 [2]
>>
>> Regards,
>> Sunu
>>
>> On Thu, Jan 26, 2017 at 1:35 AM, Azoff, Justin S
>> <jazoff at illinois.edu> wrote:
>>
>>>> On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
>>>>
>>>> Hi,
>>>> I have a script which will add one field
>>> in intel.log, that part is working
>>>> now i want read the output from intel.log seen.where field
>>> example if seen.where is HTTP::IN_HOST_HEADER and i need to
>>> write "itsOk" into my intel.log new field
>>>>
>>>> the problem is i am not able to get seen.where field
>>> output
>>>>
>>>
>>> The main issue is that the log_intel event is called with a
>>> Intel::Info, not an Intel::Seen.
>>>
>>> seen.where is the representation of the info record$seen$where
>>> field, so you need to do something like this:
>>>
>>> event Intel::log_intel (rec: Intel::Info)
>>> {
>>> print "rec$seen$where is", rec$seen$where;
>>> }
>>>
>>> http://try.bro.org/#/trybro/saved/118697 [1]
>>>
>>> --
>>> - Justin Azoff
>
>
>
> Links:
> ------
> [1] http://try.bro.org/#/trybro/saved/118697
> [2] http://try.bro.org/#/trybro/saved/118899
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list