[SecViz] Afterglow: Is it possible to split a field?

[Paul Halliday]

That seems to colour everything yellow; I am tired though, I could be
missing something simple..

I have this:

$fields[2] =~ /Count\:\s+(\d+)/;
$count = $1;
color.target="yellow" if ($count==1);
color.target="gray70" if ($count<=20);
color.target="gray50" if ($count<=50);
color.target="orangered" if ($count<=100);

I get this:

http://www.pintumbler.org/files/scans_2010-03-13.png

What am I missing?

On Sat, Mar 13, 2010 at 3:20 PM, Bob Fox <dauntingbob at yahoo.com> wrote:

> Paul:

>

> I always find split clumsy and tend to solve such problems with a regex...

>

> Perhaps something like:

>

> $fields[2] =~ /Count\:\s+(\d+)/;

> $count = $1;

> color.event="yellow" if ($count<=20);

>

>

> -----------

> Bob Fox

>

>

>

> ________________________________

> From: Paul Halliday <paul.halliday at gmail.com>

> To: Raffael Marty <raffy at raffy.ch>

> Cc: secviz-visualization at secviz.org

> Sent: Fri, March 12, 2010 10:11:38 PM

> Subject: Re: [SecViz] Afterglow: Is it possible to split a field?

>

> Even after reading up on Perl's 'split' I cant seem to get this to

> work (I couldn't hobble your example together either).

>

> $fields[2] looks like this:

>

> 172.16.0.1 Count: 20

>

> I am trying this:

>

> $count=split(' Count: ',$fields[2]);

>

> color.event="yellow" if ($count[1]<=20);

>

> Any pointers would be nice :)

>

> Thanks!

>

> On Wed, Mar 10, 2010 at 2:15 PM, Raffael Marty <raffy at raffy.ch> wrote:

>> Oh, I see... I think you are breaking some functionality if you do that.

>> Not sure though. Anyways, you could do something like format your data this

>> way:

>>

>> A,B,C|D

>>

>> Then in your properties file, split by | again:

>>

>> color = $count=split("|",$fields[2])[0]; return "red" if ($count > 100)

>>

>> I haven't tested this (my perl code might be off too, been in Python land

>> for too long), but it should work... Hopefully ;)

>>

>>  Raffael

>>

>> --

>> Raffael Marty,                               Founder @ Loggly

>> @zrlram                                         raffy.ch/blog

>>

>> On Mar 10, 2010, at 9:44 AM, Paul Halliday wrote:

>>

>>> I have been working on this:

>>>

>>> http://www.pintumbler.org/code/edv

>>>

>>> The problem I was having was that I was already using the 3 fields:

>>>

>>> src_ip, dst_ip, signature

>>>

>>> I wanted to add a little depth by adding an event count for each

>>> unique (src->dst->signature) entry; a 4th field.

>>>

>>> I changed a couple lines in afterglow.pl:

>>>

>>> on line 438 I added:  $other = $fields[3];

>>>

>>> and on line 474 I changed it to read:

>>> @fields=($source,$event,$target,$other);

>>>

>>> Now I can do:

>>>

>>> src_ip, dst_ip, signature,count using count to colorize the objects:

>>>

>>> http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png

>>>

>>> It needs some work but its close to what I was looking for.

>>>

>>> Thanks.

>>>

>>> On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:

>>>> Hi Paul,

>>>>

>>>> Sure you can do that.

>>>>

>>>> Let's say you have a three column input:

>>>>

>>>> 10.0.0.1,20.2.2.2,100

>>>> 12.2.2.2,10.0.0.1,12

>>>>

>>>> So, you have a source address, destination address, and a count. Then do

>>>> this:

>>>>

>>>> cat file | afterglow -t -c file.properties | ....

>>>>

>>>> What is important is the -t, which tells AfterGlow to only visualize two

>>>> columns. The third column will still be available in your config file. So,

>>>> the file.properties would look something like:

>>>>

>>>> color.target = "red" if ($fields[2]>100)

>>>>

>>>> Note, it's $fields[2], not 3! What you could also:

>>>>

>>>> color = "green" if (fields()>100)

>>>>

>>>> Hope this helps. Looking forward to seeing your output on secviz.org.

>>>> What's the use-case you are after?

>>>>

>>>> Cheers

>>>>

>>>>  Raffael

>>>>

>>>> --

>>>> Raffael Marty,                               Founder @ Loggly

>>>> @zrlram                                         raffy.ch/blog

>>>>

>>>> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:

>>>>

>>>>> Or have field[3] available?

>>>>>

>>>>> I want to colour a source or target based on its count of events.

>>>>> Is this possible?

>>>>>

>>>>> Thanks.

>>>>> _______________________________________________

>>>>> SecViz-Visualization mailing list

>>>>> SecViz-Visualization at secviz.org

>>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>>>>

>>>>

>>

>>

> _______________________________________________

> SecViz-Visualization mailing list

> SecViz-Visualization at secviz.org

> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>