Cool, that's exactly the place i was looking (wasn't sure if changing this
might break existing scripts... but since this is all quite new, probably
best to make the change soon). I'll get the PR up soon.
On Mon, 11 Nov 2019 at 22:17, Jon Siwek <jsiwek(a)corelight.com> wrote:
On Mon, Nov 11, 2019 at 11:37 AM Henri
I still have one outstanding issue which is that
for a container type,
record_field$type_name is just the container name (such as
"set"). I don't see a way to get the type of the container elements from
zeek script, but once again would be delighted to be corrected.
And if there's currently no way, I'm happy to put up a PR, but I could
use some guidance on how to expose this in Zeek (e.g. a new field on
Would be great if you want to try making a PR. The first way to do it
that comes to mind is just alter that "record_field$type_name" to
better describe containers in a format like "vector of XXX",
"set[XXX]" or "table[XXX] of YYY". This should be the relevant code