[Bro] Correct way to log record with modification

John Y yjohn8697 at gmail.com
Tue May 1 01:07:34 PDT 2018


Hi all!
I am new with bro and try to solve programming problem:

I am catching dns packets from the interface, changing some fields and try
to write it to log.

For that goal, i use record with the fields:
Type info: record{
Ts: string &log;
Src_ip: addr &log;
Query: string &log;
}

Getting the dns data from conn log.
Making manipulation on the ts, like changing format.

And than writing the fields to a new log:
Log::write(new_dns::Log, [$ts=change_format_func(conn$ts),
$src_ip=conn$src_ip,
$query=conn$query]

Here is the questions:
1. How i handle with uninitialize field? The assignment conn$query failed.
2. If i have a lot of fields to log, do i need to write them all in the
write commans or there is some shortcut? Remeber that i must modify the
fields.

Love for your help,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180501/b3e957c6/attachment.html 


More information about the Bro mailing list