[Bro] intel log fields adding and processing

James Lay jlay at slave-tothe-box.net
Thu Jan 26 09:56:07 PST 2017


Care to share the completed script?

James

On 2017-01-26 10:53, ps sunu wrote:
> Thanks i solved the problem
> 
> On Thu, Jan 26, 2017 at 2:09 PM, ps sunu <pssunu6 at gmail.com> wrote:
> 
>> Thanks
>> 
>> Now i need to write the  if condition output into
>> Intel.log  category field which i have added in intel.log
>> 
>> my latest code
>> 
>> @load frameworks/intel/seen
>> 
>> export {
>> 
>> redef Intel::read_files += {
>> fmt("%s/intel-1.dat", @DIR)
>> };
>> 
>> redef record Intel::Info += {
>> category: string &optional &log;
>> attribute: string &log &optional;
>> 
>> };
>> }
>> 
>> event Intel::log_intel (rec: Intel::Info)
>> {
>> 
>> if ( rec$seen$where == HTTP::IN_HOST_HEADER )
>> {
>> print "True";
>> }
>> else
>> {
>> print "False ";
>> }
>> 
>> print "rec$seen$where is", rec$seen$where;
>> 
>> }
>> 
>> I need if condition True string into intel.log category field
>> its possible   ?
>> 
>> http://try.bro.org/#/trybro/saved/118899 [2]
>> 
>> Regards,
>> Sunu
>> 
>> On Thu, Jan 26, 2017 at 1:35 AM, Azoff, Justin S
>> <jazoff at illinois.edu> wrote:
>> 
>>>> On Jan 25, 2017, at 2:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
>>>> 
>>>> Hi,
>>>> I  have a script which will add one  field
>>> in intel.log, that part is working
>>>> now i want  read the output from intel.log  seen.where  field
>>> example  if seen.where is  HTTP::IN_HOST_HEADER  and i need to
>>> write "itsOk" into my intel.log new field
>>>> 
>>>> the problem is i am not able to get seen.where field
>>> output
>>>> 
>>> 
>>> The main issue is that the log_intel event is called with a
>>> Intel::Info, not an Intel::Seen.
>>> 
>>> seen.where is the representation of the info record$seen$where
>>> field, so you need to do something like this:
>>> 
>>> event Intel::log_intel (rec: Intel::Info)
>>> {
>>> print "rec$seen$where is", rec$seen$where;
>>> }
>>> 
>>> http://try.bro.org/#/trybro/saved/118697 [1]
>>> 
>>> --
>>> - Justin Azoff
> 
> 
> 
> Links:
> ------
> [1] http://try.bro.org/#/trybro/saved/118697
> [2] http://try.bro.org/#/trybro/saved/118899
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list