[SecViz] Afterglow: Is it possible to split a field?
Bob Fox
dauntingbob at yahoo.com
Sat Mar 13 14:20:04 EST 2010
Paul:
I always find split clumsy and tend to solve such problems with a regex...
Perhaps something like:
$fields[2] =~ /Count\:\s+(\d+)/;
$count = $1;
color.event="yellow" if ($count<=20);
-----------
Bob Fox
________________________________
From: Paul Halliday <paul.halliday at gmail.com>
To: Raffael Marty <raffy at raffy.ch>
Cc: secviz-visualization at secviz.org
Sent: Fri, March 12, 2010 10:11:38 PM
Subject: Re: [SecViz] Afterglow: Is it possible to split a field?
Even after reading up on Perl's 'split' I cant seem to get this to
work (I couldn't hobble your example together either).
$fields[2] looks like this:
172.16.0.1 Count: 20
I am trying this:
$count=split(' Count: ',$fields[2]);
color.event="yellow" if ($count[1]<=20);
Any pointers would be nice :)
Thanks!
On Wed, Mar 10, 2010 at 2:15 PM, Raffael Marty <raffy at raffy.ch> wrote:
> Oh, I see... I think you are breaking some functionality if you do that. Not sure though. Anyways, you could do something like format your data this way:
>
> A,B,C|D
>
> Then in your properties file, split by | again:
>
> color = $count=split("|",$fields[2])[0]; return "red" if ($count > 100)
>
> I haven't tested this (my perl code might be off too, been in Python land for too long), but it should work... Hopefully ;)
>
> Raffael
>
> --
> Raffael Marty, Founder @ Loggly
> @zrlram raffy.ch/blog
>
> On Mar 10, 2010, at 9:44 AM, Paul Halliday wrote:
>
>> I have been working on this:
>>
>> http://www.pintumbler.org/code/edv
>>
>> The problem I was having was that I was already using the 3 fields:
>>
>> src_ip, dst_ip, signature
>>
>> I wanted to add a little depth by adding an event count for each
>> unique (src->dst->signature) entry; a 4th field.
>>
>> I changed a couple lines in afterglow.pl:
>>
>> on line 438 I added: $other = $fields[3];
>>
>> and on line 474 I changed it to read: @fields=($source,$event,$target,$other);
>>
>> Now I can do:
>>
>> src_ip, dst_ip, signature,count using count to colorize the objects:
>>
>> http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png
>>
>> It needs some work but its close to what I was looking for.
>>
>> Thanks.
>>
>> On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:
>>> Hi Paul,
>>>
>>> Sure you can do that.
>>>
>>> Let's say you have a three column input:
>>>
>>> 10.0.0.1,20.2.2.2,100
>>> 12.2.2.2,10.0.0.1,12
>>>
>>> So, you have a source address, destination address, and a count. Then do this:
>>>
>>> cat file | afterglow -t -c file.properties | ....
>>>
>>> What is important is the -t, which tells AfterGlow to only visualize two columns. The third column will still be available in your config file. So, the file.properties would look something like:
>>>
>>> color.target = "red" if ($fields[2]>100)
>>>
>>> Note, it's $fields[2], not 3! What you could also:
>>>
>>> color = "green" if (fields()>100)
>>>
>>> Hope this helps. Looking forward to seeing your output on secviz.org. What's the use-case you are after?
>>>
>>> Cheers
>>>
>>> Raffael
>>>
>>> --
>>> Raffael Marty, Founder @ Loggly
>>> @zrlram raffy.ch/blog
>>>
>>> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:
>>>
>>>> Or have field[3] available?
>>>>
>>>> I want to colour a source or target based on its count of events.
>>>> Is this possible?
>>>>
>>>> Thanks.
>>>> _______________________________________________
>>>> SecViz-Visualization mailing list
>>>> SecViz-Visualization at secviz.org
>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization
>>>
>>>
>
>
_______________________________________________
SecViz-Visualization mailing list
SecViz-Visualization at secviz.org
http://eight.pairlist.net/mailman/listinfo/secviz-visualization
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://eight.pairlist.net/pipermail/secviz-visualization/attachments/20100313/7d5ea5f1/attachment.htm>
More information about the SecViz-Visualization
mailing list