[Bro] SumStats framework

Azoff, Justin S jazoff at illinois.edu
Fri Jul 14 10:35:05 PDT 2017

> On Jul 14, 2017, at 1:02 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
> Hi,
> Just make sure I understand correctly. So you are saying make a couple of SumStats::create(), each SumStat::create() has only one reducer.
> Could you give an example of "looking at 'key' inside of the reducer, not result"?
> Thanks a lot!

No.. I'm saying that you should have a single create.

By looking at the key I mean use the 'key' variable that is present in the epoch_result function.

Attached is a script I wrote a few years ago.  It lets you track arbitrary statistics using sumstats - but it should only be used for a finite number of 'key' values... 1-500 keys would be ok.. using something like an id.orig_h as a key will break sumstats.

To use it you can just do

event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
    StatMetrics::increment("server_hello", 1);

event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
    StatMetrics::increment("client_hello", 1);


- Justin Azoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/449aec53/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stat_metrics.bro
Type: application/octet-stream
Size: 1558 bytes
Desc: stat_metrics.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/449aec53/attachment.obj 

More information about the Bro mailing list