[Bro] quick question

Aashish SHARMA init.conf at gmail.com
Tue Apr 30 14:48:23 PDT 2013


bro has some helper utilities called cf and hf ( can't recall if they are already installed with standard dist or not - used to be in aux directory in source)

but they are also available here :

cf converts unix time in human readable format. 

hf - resolves hostnames 

one way to search logs is:   grep <IP> conn.log  | cf 

(make sure  cf is your path)

Also, from the bro mailing list archives:



On Apr 30, 2013, at 1:46 PM, "Allen, Brian" <BrianAllen at wustl.edu> wrote:

> Awesome.  Thanks.  I'm still wandering around the bro directories learning
> where everything is.
> Thanks,
> -Brian
> -----Original Message-----
> From: <Castle>, Shane <scastle at bouldercounty.org>
> Date: Tuesday, April 30, 2013 3:37 PM
> To: Brian Allen <brianallen at wustl.edu>, "'bro at bro.org'" <bro at bro.org>
> Subject: RE: quick question
> The Bro documentation area is strangely lacking in some respects. The
> command you are looking for is bro-cut, a powerful little script that can
> display a human-readable timestamp and also display only the fields of the
> log files that you are interested in, and rearrange them if you want. The
> main thing to remember is that it's a classic stdin->stdout command and
> does not operate on the filename:
> "bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p
> <conn.log" for example.
> Or, after the archiving has been done:
> ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn |
> bro-cut -d );done | fgrep | less
> This would be if, for instance, your system's clock was running in UTC
> (which mine is).
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Allen,
> Brian
> Sent: Tuesday, April 30, 2013 14:02
> To: bro at bro.org
> Subject: [Bro] quick question
> Hi, I installed Bro here and I can already tell it is extremely useful.
> I'm just learning how to use it so I have lots of questions.  Here are a
> couple quick ones:
> When parsing through the bro log files, how do I turn the timestamp column
> into something human readable?  Where would I go to find this answer on my
> own?  Is there a newbie guide to bro I should be reading?  I don't see how
> to search this mailing list's archives.
> Thanks,
> -Brian
> Brian Allen
> Network Security Analyst
> Washington University
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130430/c379d9bd/attachment.html 

More information about the Bro mailing list