[Bro] Try.Bro.Org Table Creation Inquiry
Azoff, Justin S
jazoff at illinois.edu
Thu Mar 9 11:39:26 PST 2017
> On Mar 9, 2017, at 2:32 PM, Philip Romero <promero at cenic.org> wrote:
>
> Justin,
> Thanks for the use of hook pointer. I'm able to retrieve the data elements directly from the hook, but I am still struggling for feeding this data into a table. All the searching I find only speaks of feeding data in from a file. I can't find any source for how to feed this "live" data into a table.
>
> UPDATED CODE:
> hook Notice::policy(n: Notice::Info)
> {
> if ( n$sub == "remote" && n$note == Scan::Port_Scan || n$note == Scan::Address_Scan && n$sub == "remote")
> {
> local ssrc = n$src;
> local sts = n$ts;
> local snote = n$note;
> print ssrc, sts, snote;
> }
> }
Try this
hook Notice::policy(n: Notice::Info)
{
if ( n$sub == "remote" && (n$note == Scan::Port_Scan || n$note == Scan::Address_Scan))
scanners[n$src] = [$ts=n$ts, $note=cat(n$note)];
}
n$note is actually a notice type enum so to fit in the table you described in your previous email you need to stringify it.
--
- Justin Azoff
More information about the Bro
mailing list