[Bro] SumStats framework
Xu Zhang
zhangxu1115 at gmail.com
Fri Jul 14 10:02:43 PDT 2017
Hi,
Just make sure I understand correctly. So you are saying make a couple of
SumStats::create(), each SumStat::create() has only one reducer.
Could you give an example of "looking at 'key' inside of the reducer, not
result"?
Thanks a lot!
On Fri, Jul 14, 2017 at 6:36 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Jul 13, 2017, at 5:51 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
> >
> > Hi Anthony,
> > I have not finished the whole script yet.
> > But Basically it is
> > event bro_init()
> > {
> > local r: set[SumStats::Reducer];
> > local chellos = SumStats::Reducer($stream="client_hello_num",
> $apply=set(SumStats::SUM));
> > add r[chellos];
> > local shellos = SumStats::Reducer($stream="server_hello_num",
> $apply=set(SumStats::SUM));
> > add r[shellos];
> > ..... (a couple of other reducers )
> >
> > SumStats::create([$name = "ssl stats",
> > $epoch = 1hr,
> > $reducers = r,
> > $epoch_result(ts: time, key:
> SumStats::Key, result: SumStats::Result) =
> > {
> > if ("client_hello_num" in result)
> > bla;
> > if ("server_hello_num" in result)
> > bla;
> > ......(a couple of IFs)
> > }]);
> > }
> >
>
> Yeah, it looks like you're making that a lot more complicated than it
> needs to be. You just need a single stream and a single reducer.
>
> When you do the observations just do
>
> SumStats::observe("ssl_events", [$str="client_hello"], [$num=1]);
>
> or
>
> SumStats::observe("ssl_events", [$str="server_hello"], [$num=1]);
>
> etc
>
> and then look at 'key' inside of the reducer, not result.
>
>
>
> --
> - Justin Azoff
>
>
--
Sincerely,
Xu Zhang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/689e1fd9/attachment.html
More information about the Bro
mailing list