[SecViz] Afterglow: Is it possible to split a field?

Paul Halliday paul.halliday at gmail.com
Wed Mar 10 12:44:56 EST 2010

Previous message: [SecViz] Afterglow: Is it possible to split a field?
Next message: [SecViz] Afterglow: Is it possible to split a field?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have been working on this:

http://www.pintumbler.org/code/edv

The problem I was having was that I was already using the 3 fields:

src_ip, dst_ip, signature

I wanted to add a little depth by adding an event count for each
unique (src->dst->signature) entry; a 4th field.

I changed a couple lines in afterglow.pl:

on line 438 I added: $other = $fields[3];

and on line 474 I changed it to read: @fields=($source,$event,$target,$other);

Now I can do:

src_ip, dst_ip, signature,count using count to colorize the objects:

http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png

It needs some work but its close to what I was looking for.

Thanks.

On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:

> Hi Paul,

>

> Sure you can do that.

>

> Let's say you have a three column input:

>

> 10.0.0.1,20.2.2.2,100

> 12.2.2.2,10.0.0.1,12

>

> So, you have a source address, destination address, and a count. Then do this:

>

> cat file | afterglow -t -c file.properties | ....

>

> What is important is the -t, which tells AfterGlow to only visualize two columns. The third column will still be available in your config file. So, the file.properties would look something like:

>

> color.target = "red" if ($fields[2]>100)

>

> Note, it's $fields[2], not 3! What you could also:

>

> color = "green" if (fields()>100)

>

> Hope this helps. Looking forward to seeing your output on secviz.org. What's the use-case you are after?

>

> Cheers

>

> Raffael

>

> --

> Raffael Marty, Founder @ Loggly

> @zrlram raffy.ch/blog

>

> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:

>

>> Or have field[3] available?

>>

>> I want to colour a source or target based on its count of events.

>> Is this possible?

>>

>> Thanks.

>> _______________________________________________

>> SecViz-Visualization mailing list

>> SecViz-Visualization at secviz.org

>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>

>

Previous message: [SecViz] Afterglow: Is it possible to split a field?
Next message: [SecViz] Afterglow: Is it possible to split a field?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SecViz-Visualization mailing list