[Bro] SumStats framework

Azoff, Justin S jazoff at illinois.edu
Fri Jul 14 11:30:42 PDT 2017


> On Jul 14, 2017, at 2:26 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
> 
> Sorry I did not provide enough information for my problem. You approach would work for client hello and server hello. But for other features, i need to record the value: for example
> event ssl_server_hello(...)
> {
> SumStats::observe("server_hello_version",[$str=SSL::version_strings[version]],[$num=1]);  
> }
> I'm using the key field to keep the actual value of that feature. So I cannot reuse the same reducer "ssl_events" because it will lose the actual value of that feature.
> SumStats::observe("ssl_events",[$str="server_hello_version"],[$num=1]);  

For a small number of values like this you can just set the string to

fmt("server_hello_version.%s", SSL::version_strings[version])

and then you'll get counts of

server_hello_version.SSLv3
server_hello_version.TLSv13

etc.




-- 
- Justin Azoff




More information about the Bro mailing list