[SecViz] Afterglow: Is it possible to split a field?
Raffael Marty
raffy at raffy.ch
Mon Mar 15 11:13:55 EDT 2010
Oh... Yeah, you can't do that....
>>> $fields[2] =~ /Count\:\s+(\d+)/;
>>> $count = $1;
>>> color.target="yellow" if ($count==1);
>>> color.target="gray70" if ($count<=20);
>>> color.target="gray50" if ($count<=50);
>>> color.target="orangered" if ($count<=100);
Needs to be:
color.target=$fields[2] =~ /Count\:\s+(\d+)/; $count=$1; "yellow" if ($count==1);
Hope that works.
Raffael
--
Raffael Marty, Founder @ Loggly
@zrlram raffy.ch/blog
On Mar 15, 2010, at 5:44 AM, Paul Halliday wrote:
> I verified the code from the command line, it works fine.
>
> I see why it is failing though:
>
> Property File Error, unrecongnized entry: $fields[2], line 1
> Property File Error, unrecongnized entry: $hit_count, line 2
>
> I guess the properties file isn't taken literally?
>
> On Sat, Mar 13, 2010 at 10:16 PM, Raffael Marty <raffy at raffy.ch> wrote:
>> I think that's because count is not an int, but a string. Is that possible? I think you can try to cast it to an int...
>>
>> Raffael
>>
>> --
>> Raffael Marty, Founder @ Loggly
>> @zrlram raffy.ch/blog
>>
>> On Mar 13, 2010, at 5:05 PM, Paul Halliday wrote:
>>
>>> That seems to colour everything yellow; I am tired though, I could be
>>> missing something simple..
>>>
>>> I have this:
>>>
>>>
>>>
>>> I get this:
>>>
>>> http://www.pintumbler.org/files/scans_2010-03-13.png
>>>
>>> What am I missing?
>>>
>>> On Sat, Mar 13, 2010 at 3:20 PM, Bob Fox <dauntingbob at yahoo.com> wrote:
>>>> Paul:
>>>>
>>>> I always find split clumsy and tend to solve such problems with a regex...
>>>>
>>>> Perhaps something like:
>>>>
>>>> $fields[2] =~ /Count\:\s+(\d+)/;
>>>> $count = $1;
>>>> color.event="yellow" if ($count<=20);
>>>>
>>>>
>>>> -----------
>>>> Bob Fox
>>>>
>>>>
>>>>
>>>> ________________________________
>>>> From: Paul Halliday <paul.halliday at gmail.com>
>>>> To: Raffael Marty <raffy at raffy.ch>
>>>> Cc: secviz-visualization at secviz.org
>>>> Sent: Fri, March 12, 2010 10:11:38 PM
>>>> Subject: Re: [SecViz] Afterglow: Is it possible to split a field?
>>>>
>>>> Even after reading up on Perl's 'split' I cant seem to get this to
>>>> work (I couldn't hobble your example together either).
>>>>
>>>> $fields[2] looks like this:
>>>>
>>>> 172.16.0.1 Count: 20
>>>>
>>>> I am trying this:
>>>>
>>>> $count=split(' Count: ',$fields[2]);
>>>>
>>>> color.event="yellow" if ($count[1]<=20);
>>>>
>>>> Any pointers would be nice :)
>>>>
>>>> Thanks!
>>>>
>>>> On Wed, Mar 10, 2010 at 2:15 PM, Raffael Marty <raffy at raffy.ch> wrote:
>>>>> Oh, I see... I think you are breaking some functionality if you do that.
>>>>> Not sure though. Anyways, you could do something like format your data this
>>>>> way:
>>>>>
>>>>> A,B,C|D
>>>>>
>>>>> Then in your properties file, split by | again:
>>>>>
>>>>> color = $count=split("|",$fields[2])[0]; return "red" if ($count > 100)
>>>>>
>>>>> I haven't tested this (my perl code might be off too, been in Python land
>>>>> for too long), but it should work... Hopefully ;)
>>>>>
>>>>> Raffael
>>>>>
>>>>> --
>>>>> Raffael Marty, Founder @ Loggly
>>>>> @zrlram raffy.ch/blog
>>>>>
>>>>> On Mar 10, 2010, at 9:44 AM, Paul Halliday wrote:
>>>>>
>>>>>> I have been working on this:
>>>>>>
>>>>>> http://www.pintumbler.org/code/edv
>>>>>>
>>>>>> The problem I was having was that I was already using the 3 fields:
>>>>>>
>>>>>> src_ip, dst_ip, signature
>>>>>>
>>>>>> I wanted to add a little depth by adding an event count for each
>>>>>> unique (src->dst->signature) entry; a 4th field.
>>>>>>
>>>>>> I changed a couple lines in afterglow.pl:
>>>>>>
>>>>>> on line 438 I added: $other = $fields[3];
>>>>>>
>>>>>> and on line 474 I changed it to read:
>>>>>> @fields=($source,$event,$target,$other);
>>>>>>
>>>>>> Now I can do:
>>>>>>
>>>>>> src_ip, dst_ip, signature,count using count to colorize the objects:
>>>>>>
>>>>>> http://www.pintumbler.org/files/allevents_2010-03-10_thumb.png
>>>>>>
>>>>>> It needs some work but its close to what I was looking for.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> On Wed, Mar 10, 2010 at 12:56 PM, Raffael Marty <raffy at raffy.ch> wrote:
>>>>>>> Hi Paul,
>>>>>>>
>>>>>>> Sure you can do that.
>>>>>>>
>>>>>>> Let's say you have a three column input:
>>>>>>>
>>>>>>> 10.0.0.1,20.2.2.2,100
>>>>>>> 12.2.2.2,10.0.0.1,12
>>>>>>>
>>>>>>> So, you have a source address, destination address, and a count. Then do
>>>>>>> this:
>>>>>>>
>>>>>>> cat file | afterglow -t -c file.properties | ....
>>>>>>>
>>>>>>> What is important is the -t, which tells AfterGlow to only visualize two
>>>>>>> columns. The third column will still be available in your config file. So,
>>>>>>> the file.properties would look something like:
>>>>>>>
>>>>>>> color.target = "red" if ($fields[2]>100)
>>>>>>>
>>>>>>> Note, it's $fields[2], not 3! What you could also:
>>>>>>>
>>>>>>> color = "green" if (fields()>100)
>>>>>>>
>>>>>>> Hope this helps. Looking forward to seeing your output on secviz.org.
>>>>>>> What's the use-case you are after?
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Raffael
>>>>>>>
>>>>>>> --
>>>>>>> Raffael Marty, Founder @ Loggly
>>>>>>> @zrlram raffy.ch/blog
>>>>>>>
>>>>>>> On Mar 10, 2010, at 5:56 AM, Paul Halliday wrote:
>>>>>>>
>>>>>>>> Or have field[3] available?
>>>>>>>>
>>>>>>>> I want to colour a source or target based on its count of events.
>>>>>>>> Is this possible?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> _______________________________________________
>>>>>>>> SecViz-Visualization mailing list
>>>>>>>> SecViz-Visualization at secviz.org
>>>>>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> SecViz-Visualization mailing list
>>>> SecViz-Visualization at secviz.org
>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization
>>>>
>>
>>
More information about the SecViz-Visualization
mailing list