[Bro] quick question
BrianAllen at wustl.edu
Tue Apr 30 13:46:38 PDT 2013
Awesome. Thanks. I'm still wandering around the bro directories learning
where everything is.
From: <Castle>, Shane <scastle at bouldercounty.org>
Date: Tuesday, April 30, 2013 3:37 PM
To: Brian Allen <brianallen at wustl.edu>, "'bro at bro.org'" <bro at bro.org>
Subject: RE: quick question
The Bro documentation area is strangely lacking in some respects. The
command you are looking for is bro-cut, a powerful little script that can
display a human-readable timestamp and also display only the fields of the
log files that you are interested in, and rearrange them if you want. The
main thing to remember is that it's a classic stdin->stdout command and
does not operate on the filename:
"bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p
<conn.log" for example.
Or, after the archiving has been done:
ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn |
bro-cut -d );done | fgrep 192.168.131.135 | less
This would be if, for instance, your system's clock was running in UTC
(which mine is).
Data Security Mgr, Boulder County IT
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Allen,
Sent: Tuesday, April 30, 2013 14:02
To: bro at bro.org
Subject: [Bro] quick question
Hi, I installed Bro here and I can already tell it is extremely useful.
I'm just learning how to use it so I have lots of questions. Here are a
couple quick ones:
When parsing through the bro log files, how do I turn the timestamp column
into something human readable? Where would I go to find this answer on my
own? Is there a newbie guide to bro I should be reading? I don't see how
to search this mailing list's archives.
Network Security Analyst
More information about the Bro