Hi,
I have a script which will add one field in intel.log, that part is working
now i want read the output from intel.log seen.where field example if seen.where is HTTP::IN_HOST_HEADER and i need to write “itsOk” into my intel.log new field
the problem is i am not able to get seen.where field output
my code
@load frameworks/intel/seen
export {
global address: table[addr] of string &synchronized &write_expire=7day;
redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};
redef record Intel::Info += {
category: string &optional &log;
attribute: string &log &optional;
};
}
event Intel::log_intel (rec: Intel::Seen)
{
address[rec$host] = rec$where;
host_name_dhcp[rec$assigned_ip] = rec$hostname;
}
any way to do this ?
Regards,
sunu
The main issue is that the log_intel event is called with a Intel::Info, not an Intel::Seen.
seen.where is the representation of the info record$seen$where field, so you need to do something like this:
event Intel::log_intel (rec: Intel::Info)
{
print "rec$seen$where is", rec$seen$where;
}
http://try.bro.org/#/trybro/saved/118697
Thanks
Now i need to write the if condition output into Intel.log category field which i have added in intel.log
my latest code
@load frameworks/intel/seen
export {
redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};
redef record Intel::Info += {
category: string &optional &log;
attribute: string &log &optional;
};
}
event Intel::log_intel (rec: Intel::Info)
{
if ( rec$seen$where == HTTP::IN_HOST_HEADER )
{
print “True”;
}
else
{
print "False ";
}
print “rec$seen$where is”, rec$seen$where;
}
I need if condition True string into intel.log category field its possible ?
http://try.bro.org/#/trybro/saved/118899
Regards,
Sunu
Thanks i solved the problem
Care to share the completed script?
James