添加自定字段,如human_readable time字段:
FILE $bro/share/bro/base/protocols/http/human_time_http.bro
@load base/protocols/http
module HTTP;
export {
redef record Info += {
## A human-readable timestamp
human_time: string &log &optional;
};
}
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string)
{
local format: string = "%Y-%m-%dT%H:%M:%S%z";
c$http$human_time = strftime(format, c$http$ts);
}
之后修改load文件$bro/share/bro/base/protocols/http/load.bro,添加一行
@load ./human_time_http
最后在$bro/share/bro/base/protocols/http/main.bro中添加新建的字段
type Info: record {
## Timestamp for when the request happened.
human_time: string &log;
...
...
另:bro script中字段含义https://www.bro.org/sphinx/script-reference/attributes.html#attr-&log
网友评论