[Bro] SumStats framework
Azoff, Justin S
jazoff at illinois.edu
Fri Jul 14 06:36:03 PDT 2017
> On Jul 13, 2017, at 5:51 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
>
> Hi Anthony,
> I have not finished the whole script yet.
> But Basically it is
> event bro_init()
> {
> local r: set[SumStats::Reducer];
> local chellos = SumStats::Reducer($stream="client_hello_num", $apply=set(SumStats::SUM));
> add r[chellos];
> local shellos = SumStats::Reducer($stream="server_hello_num", $apply=set(SumStats::SUM));
> add r[shellos];
> ..... (a couple of other reducers )
>
> SumStats::create([$name = "ssl stats",
> $epoch = 1hr,
> $reducers = r,
> $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
> {
> if ("client_hello_num" in result)
> bla;
> if ("server_hello_num" in result)
> bla;
> ......(a couple of IFs)
> }]);
> }
>
Yeah, it looks like you're making that a lot more complicated than it needs to be. You just need a single stream and a single reducer.
When you do the observations just do
SumStats::observe("ssl_events", [$str="client_hello"], [$num=1]);
or
SumStats::observe("ssl_events", [$str="server_hello"], [$num=1]);
etc
and then look at 'key' inside of the reducer, not result.
--
- Justin Azoff
More information about the Bro
mailing list