forked from sethhall/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 7
/
metrics.http-ext.bro
50 lines (42 loc) · 1.39 KB
/
metrics.http-ext.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#output something like this
#http_metrics total=343243 inbound=102313 outbound=3423432 exe_download=23
@load global-ext
@load http-ext
export {
global http_metrics: table[string] of count &default=0; #&synchronized;
global http_metrics_interval = +60sec;
const http_metrics_log = open_log_file("http-ext-metrics");
}
event http_write_stats()
{
if (http_metrics["total"]!=0)
{
print http_metrics_log, fmt("http_metrics time=%.6f total=%d inbound=%d outbound=%d video_download=%d youtube_watches=%d",
network_time(),
http_metrics["total"],
http_metrics["inbound"],
http_metrics["outbound"],
http_metrics["video_download"],
http_metrics["youtube_watches"]
);
clear_table(http_metrics);
}
schedule http_metrics_interval { http_write_stats() };
}
event bro_init()
{
set_buf(http_metrics_log, F);
schedule http_metrics_interval { http_write_stats() };
}
event http_ext(id: conn_id, si: http_ext_session_info) &priority=-10
{
++http_metrics["total"];
if(is_local_addr(id$orig_h))
++http_metrics["outbound"];
else
++http_metrics["inbound"];
if (/\.(avi|flv|mp4|mpg)/ in si$uri)
++http_metrics["video_download"];
if (/watch\?v=/ in si$uri && /youtube/ in si$host)
++http_metrics["youtube_watches"];
}