[SecViz] Afterglow: Is it possible to split a field?

Raffael Marty raffy at raffy.ch
Sat Mar 13 20:16:37 EST 2010

Previous message: [SecViz] Afterglow: Is it possible to split a field?
Next message: [SecViz] Afterglow: Is it possible to split a field?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think that's because count is not an int, but a string. Is that possible? I think you can try to cast it to an int...

Raffael

--
Raffael Marty, Founder @ Loggly
@zrlram raffy.ch/blog

On Mar 13, 2010, at 5:05 PM, Paul Halliday wrote:

> That seems to colour everything yellow; I am tired though, I could be

> missing something simple..

>

> I have this:

>

> $fields[2] =~ /Count\:\s+(\d+)/;

> $count = $1;

> color.target="yellow" if ($count==1);

> color.target="gray70" if ($count<=20);

> color.target="gray50" if ($count<=50);

> color.target="orangered" if ($count<=100);

>

> I get this:

>

> http://www.pintumbler.org/files/scans_2010-03-13.png

>

> What am I missing?

>

> On Sat, Mar 13, 2010 at 3:20 PM, Bob Fox <dauntingbob at yahoo.com> wrote:

>> Paul:

>>

>> I always find split clumsy and tend to solve such problems with a regex...

>>

>> Perhaps something like:

>>

>> $fields[2] =~ /Count\:\s+(\d+)/;

>> $count = $1;

>> color.event="yellow" if ($count<=20);

>>

>>

>> -----------

>> Bob Fox

>>

>>

>>

>> ________________________________

>> From: Paul Halliday <paul.halliday at gmail.com>

>> To: Raffael Marty <raffy at raffy.ch>

>> Cc: secviz-visualization at secviz.org

>> Sent: Fri, March 12, 2010 10:11:38 PM

>> Subject: Re: [SecViz] Afterglow: Is it possible to split a field?

>>

>> Even after reading up on Perl's 'split' I cant seem to get this to

>> work (I couldn't hobble your example together either).

>>

>> $fields[2] looks like this:

>>

>> 172.16.0.1 Count: 20

>>

>> I am trying this:

>>

>> $count=split(' Count: ',$fields[2]);

>>

>> color.event="yellow" if ($count[1]<=20);

>>

>> Any pointers would be nice :)

>>

>> Thanks!

>>

>> On Wed, Mar 10, 2010 at 2:15 PM, Raffael Marty <raffy at raffy.ch> wrote:

>>> Oh, I see... I think you are breaking some functionality if you do that.

>>> Not sure though. Anyways, you could do something like format your data this

>>> way:

>>>

>>> A,B,C|D

>>>

>>> Then in your properties file, split by | again:

>>>

>>> color = $count=split("|",$fields[2])[0]; return "red" if ($count > 100)

>>>

>>> I haven't tested this (my perl code might be off too, been in Python land

>>> for too long), but it should work... Hopefully ;)

>>>

>>> Raffael

>>>

>>> --

>>> Raffael Marty, Founder @ Loggly

>>> @zrlram raffy.ch/blog

>>>

>>> On Mar 10, 2010, at 9:44 AM, Paul Halliday wrote:

>>>

>>>> I have been working on this:

>>>>

>>>> http://www.pintumbler.org/code/edv

>>>>

>>>> The problem I was having was that I was already using the 3 fields:

>>>>

>>>> src_ip, dst_ip, signature

>>>>

>>>> I wanted to add a little depth by adding an event count for each

>>>> unique (src->dst->signature) entry; a 4th field.

>>>>

>>>> I changed a couple lines in afterglow.pl:

>>>>

>>>> on line 438 I added: $other = $fields[3];

>>>>

>>>> and on line 474 I changed it to read:

>>>> @fields=($source,$event,$target,$other);

>>>>

>>>> Now I can do:

>>>>

>>>> src_ip, dst_ip, signature,count using count to colorize the objects:

>>>>

>>>> http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png

>>>>

>>>> It needs some work but its close to what I was looking for.

>>>>

>>>> Thanks.

>>>>

>>>> On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:

>>>>> Hi Paul,

>>>>>

>>>>> Sure you can do that.

>>>>>

>>>>> Let's say you have a three column input:

>>>>>

>>>>> 10.0.0.1,20.2.2.2,100

>>>>> 12.2.2.2,10.0.0.1,12

>>>>>

>>>>> So, you have a source address, destination address, and a count. Then do

>>>>> this:

>>>>>

>>>>> cat file | afterglow -t -c file.properties | ....

>>>>>

>>>>> What is important is the -t, which tells AfterGlow to only visualize two

>>>>> columns. The third column will still be available in your config file. So,

>>>>> the file.properties would look something like:

>>>>>

>>>>> color.target = "red" if ($fields[2]>100)

>>>>>

>>>>> Note, it's $fields[2], not 3! What you could also:

>>>>>

>>>>> color = "green" if (fields()>100)

>>>>>

>>>>> Hope this helps. Looking forward to seeing your output on secviz.org.

>>>>> What's the use-case you are after?

>>>>>

>>>>> Cheers

>>>>>

>>>>> Raffael

>>>>>

>>>>> --

>>>>> Raffael Marty, Founder @ Loggly

>>>>> @zrlram raffy.ch/blog

>>>>>

>>>>> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:

>>>>>

>>>>>> Or have field[3] available?

>>>>>>

>>>>>> I want to colour a source or target based on its count of events.

>>>>>> Is this possible?

>>>>>>

>>>>>> Thanks.

>>>>>> _______________________________________________

>>>>>> SecViz-Visualization mailing list

>>>>>> SecViz-Visualization at secviz.org

>>>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>>>>>

>>>>>

>>>

>>>

>> _______________________________________________

>> SecViz-Visualization mailing list

>> SecViz-Visualization at secviz.org

>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>>

Previous message: [SecViz] Afterglow: Is it possible to split a field?
Next message: [SecViz] Afterglow: Is it possible to split a field?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SecViz-Visualization mailing list