[SecViz] Afterglow: Is it possible to split a field?

Paul Halliday paul.halliday at gmail.com
Mon Mar 15 08:44:45 EDT 2010

Previous message: [SecViz] Afterglow: Is it possible to split a field?
Next message: [SecViz] Afterglow: Is it possible to split a field?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I verified the code from the command line, it works fine.

I see why it is failing though:

Property File Error, unrecongnized entry: $fields[2], line 1
Property File Error, unrecongnized entry: $hit_count, line 2

I guess the properties file isn't taken literally?

On Sat, Mar 13, 2010 at 10:16 PM, Raffael Marty <raffy at raffy.ch> wrote:

> I think that's because count is not an int, but a string. Is that possible? I think you can try to cast it to an int...

>

> Raffael

>

> --

> Raffael Marty, Founder @ Loggly

> @zrlram raffy.ch/blog

>

> On Mar 13, 2010, at 5:05 PM, Paul Halliday wrote:

>

>> That seems to colour everything yellow; I am tired though, I could be

>> missing something simple..

>>

>> I have this:

>>

>> $fields[2] =~ /Count\:\s+(\d+)/;

>> $count = $1;

>> color.target="yellow" if ($count==1);

>> color.target="gray70" if ($count<=20);

>> color.target="gray50" if ($count<=50);

>> color.target="orangered" if ($count<=100);

>>

>> I get this:

>>

>> http://www.pintumbler.org/files/scans_2010-03-13.png

>>

>> What am I missing?

>>

>> On Sat, Mar 13, 2010 at 3:20 PM, Bob Fox <dauntingbob at yahoo.com> wrote:

>>> Paul:

>>>

>>> I always find split clumsy and tend to solve such problems with a regex...

>>>

>>> Perhaps something like:

>>>

>>> $fields[2] =~ /Count\:\s+(\d+)/;

>>> $count = $1;

>>> color.event="yellow" if ($count<=20);

>>>

>>>

>>> -----------

>>> Bob Fox

>>>

>>>

>>>

>>> ________________________________

>>> From: Paul Halliday <paul.halliday at gmail.com>

>>> To: Raffael Marty <raffy at raffy.ch>

>>> Cc: secviz-visualization at secviz.org

>>> Sent: Fri, March 12, 2010 10:11:38 PM

>>> Subject: Re: [SecViz] Afterglow: Is it possible to split a field?

>>>

>>> Even after reading up on Perl's 'split' I cant seem to get this to

>>> work (I couldn't hobble your example together either).

>>>

>>> $fields[2] looks like this:

>>>

>>> 172.16.0.1 Count: 20

>>>

>>> I am trying this:

>>>

>>> $count=split(' Count: ',$fields[2]);

>>>

>>> color.event="yellow" if ($count[1]<=20);

>>>

>>> Any pointers would be nice :)

>>>

>>> Thanks!

>>>

>>> On Wed, Mar 10, 2010 at 2:15 PM, Raffael Marty <raffy at raffy.ch> wrote:

>>>> Oh, I see... I think you are breaking some functionality if you do that.

>>>> Not sure though. Anyways, you could do something like format your data this

>>>> way:

>>>>

>>>> A,B,C|D

>>>>

>>>> Then in your properties file, split by | again:

>>>>

>>>> color = $count=split("|",$fields[2])[0]; return "red" if ($count > 100)

>>>>

>>>> I haven't tested this (my perl code might be off too, been in Python land

>>>> for too long), but it should work... Hopefully ;)

>>>>

>>>> Raffael

>>>>

>>>> --

>>>> Raffael Marty, Founder @ Loggly

>>>> @zrlram raffy.ch/blog

>>>>

>>>> On Mar 10, 2010, at 9:44 AM, Paul Halliday wrote:

>>>>

>>>>> I have been working on this:

>>>>>

>>>>> http://www.pintumbler.org/code/edv

>>>>>

>>>>> The problem I was having was that I was already using the 3 fields:

>>>>>

>>>>> src_ip, dst_ip, signature

>>>>>

>>>>> I wanted to add a little depth by adding an event count for each

>>>>> unique (src->dst->signature) entry; a 4th field.

>>>>>

>>>>> I changed a couple lines in afterglow.pl:

>>>>>

>>>>> on line 438 I added: $other = $fields[3];

>>>>>

>>>>> and on line 474 I changed it to read:

>>>>> @fields=($source,$event,$target,$other);

>>>>>

>>>>> Now I can do:

>>>>>

>>>>> src_ip, dst_ip, signature,count using count to colorize the objects:

>>>>>

>>>>> http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png

>>>>>

>>>>> It needs some work but its close to what I was looking for.

>>>>>

>>>>> Thanks.

>>>>>

>>>>> On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:

>>>>>> Hi Paul,

>>>>>>

>>>>>> Sure you can do that.

>>>>>>

>>>>>> Let's say you have a three column input:

>>>>>>

>>>>>> 10.0.0.1,20.2.2.2,100

>>>>>> 12.2.2.2,10.0.0.1,12

>>>>>>

>>>>>> So, you have a source address, destination address, and a count. Then do

>>>>>> this:

>>>>>>

>>>>>> cat file | afterglow -t -c file.properties | ....

>>>>>>

>>>>>> What is important is the -t, which tells AfterGlow to only visualize two

>>>>>> columns. The third column will still be available in your config file. So,

>>>>>> the file.properties would look something like:

>>>>>>

>>>>>> color.target = "red" if ($fields[2]>100)

>>>>>>

>>>>>> Note, it's $fields[2], not 3! What you could also:

>>>>>>

>>>>>> color = "green" if (fields()>100)

>>>>>>

>>>>>> Hope this helps. Looking forward to seeing your output on secviz.org.

>>>>>> What's the use-case you are after?

>>>>>>

>>>>>> Cheers

>>>>>>

>>>>>> Raffael

>>>>>>

>>>>>> --

>>>>>> Raffael Marty, Founder @ Loggly

>>>>>> @zrlram raffy.ch/blog

>>>>>>

>>>>>> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:

>>>>>>

>>>>>>> Or have field[3] available?

>>>>>>>

>>>>>>> I want to colour a source or target based on its count of events.

>>>>>>> Is this possible?

>>>>>>>

>>>>>>> Thanks.

>>>>>>> _______________________________________________

>>>>>>> SecViz-Visualization mailing list

>>>>>>> SecViz-Visualization at secviz.org

>>>>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>>>>>>

>>>>>>

>>>>

>>>>

>>> _______________________________________________

>>> SecViz-Visualization mailing list

>>> SecViz-Visualization at secviz.org

>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>>>

>

>

Previous message: [SecViz] Afterglow: Is it possible to split a field?
Next message: [SecViz] Afterglow: Is it possible to split a field?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SecViz-Visualization mailing list