[Bro-Dev] Bro IDS request
Azoff, Justin S
jazoff at illinois.edu
Fri Aug 12 11:40:26 PDT 2016
> On Aug 12, 2016, at 2:14 PM, Aashish Sharma <asharma at lbl.gov> wrote:
>
> May be try: ftp://ftp.ee.lbl.gov/cf-1.2.5.tar.gz
>
> eg: cf conn.log | less
>
Yeah.. cf should be a few times faster than bro-cut for busy log files, especially if the only thing you are doing is converting the timestamp.
It has an optimization that bro-cut doesn't have yet for avoiding converting timestamps if the current one is the same second as the previous one.
If you are using both tools though and only extracting a few fields, piping bro-cut to cf should be faster than piping cf to bro-cut.
I'm not sure why converting the timestamp is so important though. What are you doing with the data once you convert the timestamps?
--
- Justin Azoff
More information about the bro-dev
mailing list