Dear all,
My name is Steven, I am a new Bro user. Recently, I work on one projector, which requires the Bro to save the payload into vector and use the packet’s source address as the index.
So I have defined the vector
redef record connection += {
dns: Info &optional;
dns_state: State &optional;
v1: vector of string &optional;
};
and I try to use
c$v1[c$id$orig_h] = query;
I notice that the vector index is a interge, so how can I convert the c$id$orig_h into a interge?
All suggestions are welcome, Many thanks
Regards,
Steven
Look here: https://www.bro.org/sphinx-git/scripting/index.html#data-types-revisited
I’m relatively new to Bro as well so if I am wrong or this can be done a better way please someone correct me.
The connection record holds information on the current connection only. It is not an array of all connections. To do what I think you are trying to do I would create another record and then an array of that record. Something like this.
global dns_info: table[addr] of string;
This creates a table referenced by IP addresses.
Then you can use dns_info[c$id$orig_h] = query
The record definition would be:
type dns_rec: record {
dns_info: vector of string
};
global dns_stuff: table[addr] of dns_rec
The above will yield a table of dns_recs. You can add other fields into the record that you need. This table of dns_rec can be referenced by:
dns_stuff[c$id$orig]$dns_info
Hope I didn’t miss your question entirely.
thanks,
Brian
Depending on what you are trying to do, you could also use a a table
of sets of DNS::Info records indexed by connection source addresses.
Just be careful not to let the table grow too large.
global dns_cache: table[addr] of set(DNS::Info);
DNS::Info records are the same records that get placed in dns log
files. Hope this helps!
-AK