[Bro] SumStats framework
zhangxu1115 at gmail.com
Thu Jul 13 14:51:40 PDT 2017
I have not finished the whole script yet.
But Basically it is
local r: set[SumStats::Reducer];
local chellos = SumStats::Reducer($stream="client_hello_num",
local shellos = SumStats::Reducer($stream="server_hello_num",
..... (a couple of other reducers )
SumStats::create([$name = "ssl stats",
$epoch = 1hr,
$reducers = r,
$epoch_result(ts: time, key: SumStats::Key,
result: SumStats::Result) =
if ("client_hello_num" in result)
if ("server_hello_num" in result)
......(a couple of IFs)
On Thu, Jul 13, 2017 at 2:40 PM, anthony kasza <anthony.kasza at gmail.com>
> Hi Xu,
> Can you share the script you've written?
> On Jul 13, 2017 10:52 AM, "Xu Zhang" <zhangxu1115 at gmail.com> wrote:
>> I'm using SumStats framework to record features in the SSL handshake
>> packets. There are lots of features (30+) I need to record and I created a
>> reducer for each feature. In the SumStats::create(), I check if
>> "feature_x" in result, and record result["feature_x"]$num. However, the
>> SumStats::create function looks absurdly long. My question is: is it more
>> efficient to break up the current SumStats::create function into multiple
>> (each only have one reducer), or is it better to keep the code I currently
>> have? Which one is faster?
>> Thanks a lot!
>> Xu Zhang
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro