[Bro] adding srcip to correlation script
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Fri Jan 2 08:46:34 PST 2015
I’m working with the correlation script released by CrowdStrike, thank you BTW, and I want to populated the “srcip” field with the correct source IP so that I can do a groupby on that field in ELSA. How do I get the conn record for this connection into the below function so that I can add $conn=c to the notice? Not sure what the best way to do this is; can I just add it to the function arguments or define “c” as a local and then assign the source IP, “idx” in this case, to c$id$orig_h.
function alerts_out(t: table[addr] of set[string], idx: addr): interval
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro