[Bro] SumStats framework
Azoff, Justin S
jazoff at illinois.edu
Fri Jul 14 10:35:05 PDT 2017
> On Jul 14, 2017, at 1:02 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
>
> Hi,
> Just make sure I understand correctly. So you are saying make a couple of SumStats::create(), each SumStat::create() has only one reducer.
> Could you give an example of "looking at 'key' inside of the reducer, not result"?
> Thanks a lot!
No.. I'm saying that you should have a single create.
By looking at the key I mean use the 'key' variable that is present in the epoch_result function.
Attached is a script I wrote a few years ago. It lets you track arbitrary statistics using sumstats - but it should only be used for a finite number of 'key' values... 1-500 keys would be ok.. using something like an id.orig_h as a key will break sumstats.
To use it you can just do
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
{
StatMetrics::increment("server_hello", 1);
}
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
{
StatMetrics::increment("client_hello", 1);
}
--
- Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/449aec53/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stat_metrics.bro
Type: application/octet-stream
Size: 1558 bytes
Desc: stat_metrics.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/449aec53/attachment.obj
More information about the Bro
mailing list