[Bro-Dev] Bro IDS request
Dave Florek
dave.a.florek at gmail.com
Tue Aug 16 14:12:58 PDT 2016
I'll check it out. Glad to know there are alternatives to bro-cut.
Thanks for your time guys,
On Fri, Aug 12, 2016 at 3:10 PM, Dave Florek <dave.a.florek at gmail.com>
wrote:
> Manual searching to establish a timeline of events that I can understand
> when my intel.log chirps.
>
> On Fri, Aug 12, 2016 at 2:40 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Aug 12, 2016, at 2:14 PM, Aashish Sharma <asharma at lbl.gov> wrote:
>> >
>> > May be try: ftp://ftp.ee.lbl.gov/cf-1.2.5.tar.gz
>> >
>> > eg: cf conn.log | less
>> >
>>
>> Yeah.. cf should be a few times faster than bro-cut for busy log files,
>> especially if the only thing you are doing is converting the timestamp.
>> It has an optimization that bro-cut doesn't have yet for avoiding
>> converting timestamps if the current one is the same second as the previous
>> one.
>>
>> If you are using both tools though and only extracting a few fields,
>> piping bro-cut to cf should be faster than piping cf to bro-cut.
>>
>> I'm not sure why converting the timestamp is so important though. What
>> are you doing with the data once you convert the timestamps?
>>
>>
>> --
>> - Justin Azoff
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160816/8e697de3/attachment.html
More information about the bro-dev
mailing list