From seth at icir.org Tue Apr 8 13:37:02 2014 From: seth at icir.org (Seth Hall) Date: Tue, 8 Apr 2014 13:37:02 -0700 Subject: [TM] [git] master: I still had timemachine.cfg broken. I think it's better now. (8891e81) Message-ID: <201404082037.s38Kb2dT003977@bro-ids.icir.org> Repository : ssh://git at bro-ids.icir.org/time-machine On branch : master >--------------------------------------------------------------- commit 8891e81481170770b45706e110a013462bb00ae4 Author: Seth Hall Date: Tue Apr 8 16:26:22 2014 -0400 I still had timemachine.cfg broken. I think it's better now. >--------------------------------------------------------------- 8891e81481170770b45706e110a013462bb00ae4 etc/timemachine.cfg.in | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/timemachine.cfg.in b/etc/timemachine.cfg.in index d5c1dde..f2b065d 100644 --- a/etc/timemachine.cfg.in +++ b/etc/timemachine.cfg.in @@ -7,8 +7,10 @@ main { ## Directories for packet captures, logs, and indexes. ## These directories must exist when timemachine starts! workdir "@CMAKE_INSTALL_PREFIX@/var/tm"; - indexdir "@CMAKE_INSTALL_PREFIX@/indexes"; - queryfiledir "@CMAKE_INSTALL_PREFIX@/queries"; + ## These will be relative to if not + ## given as full paths. + indexdir "indexes"; + queryfiledir "queries"; ## Name for the log to be stored in logfile "timemachine.log"; From layer3 at dissectcyber.com Wed Apr 23 09:42:04 2014 From: layer3 at dissectcyber.com (Milandon Foley) Date: Wed, 23 Apr 2014 12:42:04 -0400 Subject: [TM] Time Machine + Bro = Logging Based on Bro Fields Message-ID: Hello, My name is Milandon, I work for Dissect Cyber part time. I am looking to work with Time Machine and Bro, but I need some help. I am not terribly well versed in Broscript, but I have been learning. One of my main goals is to setup bro and time machine to log entire streams when a specific value in the bro log matches a criteria. In this case, I am attempting to use Time Machine to capture pcaps when bro detects a connection that originated from the outside of the network (using the field that labels connections with T or F). Can someone please point me in the right direction? The guys and girls on #Bro were nice and helpful, but time machine isn't their strength. One guy, Justin AZ(?) pointed me to bro 1.5 which has broscripts for time machine, but I do not know what i need to add or rewrite to get it to work the way I want. I am also interested in using Time Machine for other tasks, but those are in the future, and I would like to tackle one thing at a time if possible. Please feel free to contact me via email at layer3 at dissectcyber.com. Or if you want to chat just let me know. ALso, if you need more information don't hesitate to ask! Thanks for your time, Milandon From seth at icir.org Thu Apr 24 10:11:37 2014 From: seth at icir.org (Seth Hall) Date: Thu, 24 Apr 2014 13:11:37 -0400 Subject: [TM] Time Machine + Bro = Logging Based on Bro Fields In-Reply-To: References: Message-ID: On Apr 23, 2014, at 12:42 PM, Milandon Foley wrote: > One of my > main goals is to setup bro and time machine to log entire streams when > a specific value in the bro log matches a criteria. There is a prototype branch in Bro named: topic/seth/timemachine-framework What?s missing is the mechanism to make Bro connect to timemachine. If you make Bro connect to timemachine, then you?ll be able to call something like? event connection_established(c: connection) { if ( ! Site::is_local_addr(c$id$orig_h) && Site::is_local_addr(c$id$resp_h) ) { TimeMachine::dump_conn(c); } } If you do any work on this, we?d appreciate if you contributed back your changes and additions. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/time-machine/attachments/20140424/40505198/attachment.bin