Skip to content

Instantly share code, notes, and snippets.

@xrl

xrl/after-decode_bro.lua

Last active August 29, 2015 14:24
Show Gist options
  • Save xrl/d11dc96dad11e0831c86 to your computer and use it in GitHub Desktop.
Save xrl/d11dc96dad11e0831c86 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
after-decode_bro.lua
require 'string'
function split(inputstr, sep)
if sep == nil then
sep = "%s"
end
local t={} ; i=1
for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
t[i] = str
i = i + 1
end
return t
end
local msg = {
Timestamp = nil,
Type = read_config("type"),
Payload = nil,
Fields = nil
}
function process_message()
msg.Timestamp = read_message("Timestamp")
local payload = read_message("Payload")
local arr = split(payload)
local fields = {}
fields["ts"] = arr[1]
fields["uid"] = arr[2]
fields["id.orig_h"] = arr[3]
fields["id.orig_p"] = arr[4]
fields["id.resp_h"] = arr[5]
fields["id.resp_p"] = arr[6]
fields["proto"] = arr[7]
fields["trans_id"] = arr[8]
fields["query"] = arr[9]
fields["qclass"] = arr[10]
fields["qclass_name"] = arr[11]
fields["qtype"] = arr[12]
fields["qtype_name"] = arr[13]
fields["rcode"] = arr[14]
fields["rcode_name"] = arr[15]
fields["AA"] = arr[16]
fields["TC"] = arr[17]
fields["RD"] = arr[18]
fields["RA"] = arr[19]
fields["Z"] = arr[20]
fields["answers"] = arr[21]
fields["TTLs"] = arr[22]
fields["rejected"] = arr[23]
msg.Fields = fields
inject_message(msg)
return 0
end
Raw
before-decode_bro.lua
require 'string'
function split(inputstr, sep)
if sep == nil then
sep = "%s"
end
local t={} ; i=1
for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
t[i] = str
i = i + 1
end
return t
end
-- turn bro documentation in to lua parallell assignment code
function process_message()
local payload = read_message("Payload")
write_message("Fields[debug]", payload)
arr = split(payload, '\t')
timestamp,b = arr[1], arr[2]
write_message("Payload", "neat!" .. tostring( #arr ) .. " got " .. tostring(a) )
write_message("Fields[ts]", arr[1])
write_message("Fields[uid]", arr[2])
write_message("Fields[id.orig_h]", arr[3])
write_message("Fields[id.orig_p]", arr[4])
write_message("Fields[id.resp_h]", arr[5])
write_message("Fields[id.resp_p]", arr[6])
write_message("Fields[proto]", arr[7])
write_message("Fields[trans_id]", arr[8])
write_message("Fields[query]", arr[9])
write_message("Fields[qclass]", arr[10])
write_message("Fields[qclass_name]", arr[11])
write_message("Fields[qtype]", arr[12])
write_message("Fields[qtype_name]", arr[13])
write_message("Fields[rcode]", arr[14])
write_message("Fields[rcode_name]", arr[15])
write_message("Fields[AA]", arr[16])
write_message("Fields[TC]", arr[17])
write_message("Fields[RD]", arr[18])
write_message("Fields[RA]", arr[19])
write_message("Fields[Z]", arr[20])
write_message("Fields[answers]", arr[21])
write_message("Fields[TTLs]", arr[22])
write_message("Fields[rejected]", arr[23])
return 0
end
Raw
before-decoder_stats
UdpInput-DecodeBro
Properties
Name Value
InChanCapacity 30
InChanLength 0
ProcessMessageAvgDuration 123,774 ns
ProcessMessageAvgDuration-BroRsyslog 49,035 ns
ProcessMessageAvgDuration-SandboxDecodeBro 70,859 ns
ProcessMessageCount 3,462,370
ProcessMessageCount-BroRsyslog 3,462,370
ProcessMessageCount-SandboxDecodeBro 3,462,370
ProcessMessageFailures 0
ProcessMessageFailures-BroRsyslog 0
ProcessMessageFailures-SandboxDecodeBro 0
ProcessMessageSamples 3,372
ProcessMessageSamples-BroRsyslog 3,372
ProcessMessageSamples-SandboxDecodeBro 3,372
Raw
evenlessgc-decode_bro.lua
require 'string'
function split_into_fields(inputstr, sep, fields)
if sep == nil then
sep = "%s"
end
local i=1 ; max = #fields
for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
fields[i].value = str
i = i + 1
if i > max then
break
end
end
return i
end
local msg = {
Timestamp = nil,
Type = read_config("type"),
Payload = nil,
Fields = {
{name="ts", value=nil},
{name="uid", value=nil},
{name="id.orig_h", value=nil},
{name="id.orig_p", value=nil},
{name="id.resp_h", value=nil},
{name="id.resp_p", value=nil},
{name="proto", value=nil},
{name="trans_id", value=nil},
{name="query", value=nil},
{name="qclass", value=nil},
{name="qclass_name", value=nil},
{name="qtype", value=nil},
{name="qtype_name", value=nil},
{name="rcode", value=nil},
{name="rcode_name", value=nil},
{name="AA", value=nil},
{name="TC", value=nil},
{name="RD", value=nil},
{name="RA", value=nil},
{name="Z", value=nil},
{name="answers", value=nil},
{name="TTLs", value=nil},
{name="rejected", value=nil}
}
}
function process_message()
msg.Timestamp = read_message("Timestamp")
local payload = read_message("Payload")
local count = split_into_fields(payload, "%s", msg.Fields)
if count ~= #msg.Fields then
return -1
end
inject_message(msg)
return 0
end
Raw
evenlessgc-decoder_stats
Name Value
InChanCapacity 30
InChanLength 0
ProcessMessageAvgDuration 218,718 ns
ProcessMessageAvgDuration-DecodeBroRsyslog 72,993 ns
ProcessMessageAvgDuration-DecodeBroTSV 21,635 ns
ProcessMessageCount 101,422
ProcessMessageCount-DecodeBroRsyslog 101,422
ProcessMessageCount-DecodeBroTSV 101,422
ProcessMessageFailures 0
ProcessMessageFailures-DecodeBroRsyslog 0
ProcessMessageFailures-DecodeBroTSV 101,421
ProcessMessageSamples 76
ProcessMessageSamples-DecodeBroRsyslog 76
ProcessMessageSamples-DecodeBroTSV 76
Raw
lessgc-decode_bro.lua
require 'string'
function split(inputstr, sep)
if sep == nil then
sep = "%s"
end
local t={} ; i=1
for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
t[i] = str
i = i + 1
end
return t
end
local msg = {
Timestamp = nil,
Type = read_config("type"),
Payload = nil,
Fields = {
{name="ts", value=nil},
{name="uid", value=nil},
{name="id.orig_h", value=nil},
{name="id.orig_p", value=nil},
{name="id.resp_h", value=nil},
{name="id.resp_p", value=nil},
{name="proto", value=nil},
{name="trans_id", value=nil},
{name="query", value=nil},
{name="qclass", value=nil},
{name="qclass_name", value=nil},
{name="qtype", value=nil},
{name="qtype_name", value=nil},
{name="rcode", value=nil},
{name="rcode_name", value=nil},
{name="AA", value=nil},
{name="TC", value=nil},
{name="RD", value=nil},
{name="RA", value=nil},
{name="Z", value=nil},
{name="answers", value=nil},
{name="TTLs", value=nil},
{name="rejected", value=nil}
}
}
function process_message()
msg.Timestamp = read_message("Timestamp")
local payload = read_message("Payload")
local arr = split(payload)
if #arr ~= 23 then
return -1
end
msg.Fields[1].value = arr[1]
msg.Fields[2].value = arr[2]
msg.Fields[3].value = arr[3]
msg.Fields[4].value = arr[4]
msg.Fields[5].value = arr[5]
msg.Fields[6].value = arr[6]
msg.Fields[7].value = arr[7]
msg.Fields[8].value = arr[8]
msg.Fields[9].value = arr[9]
msg.Fields[10].value = arr[10]
msg.Fields[11].value = arr[11]
msg.Fields[12].value = arr[12]
msg.Fields[13].value = arr[13]
msg.Fields[14].value = arr[14]
msg.Fields[15].value = arr[15]
msg.Fields[16].value = arr[16]
msg.Fields[17].value = arr[17]
msg.Fields[18].value = arr[18]
msg.Fields[19].value = arr[19]
msg.Fields[20].value = arr[20]
msg.Fields[21].value = arr[21]
msg.Fields[22].value = arr[22]
msg.Fields[23].value = arr[23]
inject_message(msg)
return 0
end
Raw
lessgc-decoder_stats
Name Value
InChanCapacity 30
InChanLength 0
ProcessMessageAvgDuration 99,404 ns
ProcessMessageAvgDuration-DecodeBroRsyslog 52,623 ns
ProcessMessageAvgDuration-DecodeBroTSV 33,972 ns
ProcessMessageCount 197,087
ProcessMessageCount-DecodeBroRsyslog 197,087
ProcessMessageCount-DecodeBroTSV 197,087
ProcessMessageFailures 0
ProcessMessageFailures-DecodeBroRsyslog 0
ProcessMessageFailures-DecodeBroTSV 148,346
ProcessMessageSamples 178
ProcessMessageSamples-DecodeBroRsyslog 178
ProcessMessageSamples-DecodeBroTSV 178
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment