[Bro] Correct way to log record with modification
John Y
yjohn8697 at gmail.com
Tue May 1 01:07:34 PDT 2018
Hi all!
I am new with bro and try to solve programming problem:
I am catching dns packets from the interface, changing some fields and try
to write it to log.
For that goal, i use record with the fields:
Type info: record{
Ts: string &log;
Src_ip: addr &log;
Query: string &log;
}
Getting the dns data from conn log.
Making manipulation on the ts, like changing format.
And than writing the fields to a new log:
Log::write(new_dns::Log, [$ts=change_format_func(conn$ts),
$src_ip=conn$src_ip,
$query=conn$query]
Here is the questions:
1. How i handle with uninitialize field? The assignment conn$query failed.
2. If i have a lot of fields to log, do i need to write them all in the
write commans or there is some shortcut? Remeber that i must modify the
fields.
Love for your help,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180501/b3e957c6/attachment.html
More information about the Bro
mailing list