[Bro] SumStats framework
Xu Zhang
zhangxu1115 at gmail.com
Fri Jul 14 12:54:07 PDT 2017
Hi Justin,
I rewrote my code as you suggested. It works great and reduces more than
100 lines. Thanks a lot!
Now I just need to pay attention to the number of possible values for each
feature (str$key). I assume some values may be more than 500, for example,
possible ssl_extensions or cipher suites.
On Fri, Jul 14, 2017 at 11:30 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Jul 14, 2017, at 2:26 PM, Xu Zhang <zhangxu1115 at gmail.com> wrote:
> >
> > Sorry I did not provide enough information for my problem. You approach
> would work for client hello and server hello. But for other features, i
> need to record the value: for example
> > event ssl_server_hello(...)
> > {
> > SumStats::observe("server_hello_version",[$str=SSL::
> version_strings[version]],[$num=1]);
> > }
> > I'm using the key field to keep the actual value of that feature. So I
> cannot reuse the same reducer "ssl_events" because it will lose the actual
> value of that feature.
> > SumStats::observe("ssl_events",[$str="server_hello_version"],[$num=1]);
>
> For a small number of values like this you can just set the string to
>
> fmt("server_hello_version.%s", SSL::version_strings[version])
>
> and then you'll get counts of
>
> server_hello_version.SSLv3
> server_hello_version.TLSv13
>
> etc.
>
>
>
>
> --
> - Justin Azoff
>
>
--
Sincerely,
Xu Zhang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170714/d7d68452/attachment.html
More information about the Bro
mailing list