[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] sum stats q.
From: Dk Jack <dnj0496 () gmail ! com>
Date: 2018-11-30 20:03:59
Message-ID: 565D162F-4992-44F8-92D2-0A85BDB343B9 () gmail ! com
[Download RAW message or body]
Thanks for investigating this Justin. I was scratching my head for two days :)
Btw, I am using 2.4.1. Since my requirements were very simple, I ended up creating my \
own table and writing the accumulated counts to the log periodically using the \
‘schedule' primitive. That's working correctly. Hopefully, I can get rid of that \
and move to the sumstats version when I upgrade my bro to 2.6.
Thanks again.
Dk.
On Nov 30, 2018, at 11:14 AM, Azoff, Justin S <jazoff@illinois.edu> wrote:
> >
> > Hi Justin,
> > Thanks for responding. My problem is not with try.bro.org but with how sumstats \
> > seem to work. I was just using try.bro.org to demonstrate the issue in case \
> > someone wanted to try my test.
>
> Hi,
>
> While trying to reproduce your problem I found that this was fixed a few months \
> ago:
> https://github.com/bro/bro/commit/3495b2fa9d84e8105a79e24e4e9a2f9181318f1a#diff-3248d64d10c61bb0656f5c167feca5f0
>
> I ended up tracking down the root cause only to realize this is already fixed
> in 2.6 :-) Never hurts to practice bro script debugging though. Turns out the old \
> script was deleting entries from a table while iterating over it, which is \
> undefined behavior in bro (and in many other languages).
> I have a directory with http.pcap and your script (s.bro)
>
> I run a bro 2.5.5 container and count the results, getting 128 instead of 197.
>
> justin@mbp:~/b$ docker run -t -i --rm -v `pwd`:/b broplatform/bro:2.5.5
> root@cbd05c9035c3:/# cd /b
> root@cbd05c9035c3:/b# bro -r http.pcap s.bro
> Creating HttpStats log stream and HTTP sumstats
> 1320279683.449294 ./s.bro, line 55: scount=197
> root@cbd05c9035c3:/b#
> root@cbd05c9035c3:/b# cat http-stats.log |bro-cut hits | awk '{s+=$1} END {printf \
> "%.0f\n", s}' 128
>
> Now I do the same test again but using bro 2.6 released yesterday and get the \
> correct result of 197:
> justin@mbp:~/b$ docker run -t -i --rm -v `pwd`:/b broplatform/bro:2.6
> root@869655245d1d:/# cd /b
> root@869655245d1d:/b# bro -r http.pcap s.bro
> Creating HttpStats log stream and HTTP sumstats
> 1320279683.449294 ./s.bro, line 55: scount=197
> root@869655245d1d:/b#
> root@869655245d1d:/b# cat http-stats.log |bro-cut hits | awk '{s+=$1} END {printf \
> "%.0f\n", s}' 197
>
>
> --
> Justin
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic