Hi,
i want to introduce two new fields in dns.log: i’ve tried to use a code like this:
-----script.bro------
redef record DNS::Info += {
foo: bool &optional &log;
};
event DNS::log_dns (rec: DNS::Info)
{
if(condition)
rec$foo = T;
}
Hi,
i want to introduce two new fields in dns.log: i’ve tried to use a code like this:
-----script.bro------
redef record DNS::Info += {
foo: bool &optional &log;
};
event DNS::log_dns (rec: DNS::Info)
{
if(condition)
rec$foo = T;
}
The event should should handle is the one that has the data you’re basing your condition (in your example) off of. The log events are too late. The data is already set and gone at that point. I think there might be some justification for turning those log events into hooks so you could actually modify it in place before it’s actually logged (we’ll discuss this internally).
What is the condition you’re working with in your dns log?
.Seth