[Bro] minor documentation error
scastle at bouldercounty.org
Mon Dec 31 09:33:18 PST 2012
I found another issue with this script. The Unix/POSIX sort command will not sort IP addresses correctly unless it is told to explicitly:
"sort -t '.' -k 1,1n -k 2,2n -k 3,3n -k 4,4n". This defect causes the script to lie about who is using how many bytes.
If you want a nice example, just access a reasonably busy Bro system, go to one of the compressed log directories, and try:
"zcat conn.*.gz | bro-cut id.orig_h orig_bytes | sort | less"
You will see it sorting addresses like 192.168.6.48 and 192.168.64.8 the same. This causes the subsequent awk script to fail rather badly.
And that brings up another point: many times the orig_bytes field will be nonnumeric, containing a "-" or a blank instead of a number. I don't know how the awk script deals with these, offhand. I am trying to find out, and create a true toptalkers script that really works.
Data Security Mgr, Boulder County IT
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Liam Randall
Sent: Friday, December 28, 2012 18:11
To: bro at bro-ids.org
Subject: [Bro] minor documentation error
Came up on the SO list.
What are the top 10 hosts (originators) that send the most traffic?
The final sort should be "sort-rnk 2"
Credits Shane Castle
Happy Holidays All,
More information about the Bro