[Bro] Help with searching logs
Oehlert, Samuel J
soehlert at illinois.edu
Tue Apr 2 19:23:41 PDT 2013
You cut those fields out when you did your bro-cut. The id.orig_h and orig_bytes are both fields in the log. If you want other fields, you just add those to your list. E.g.:
bro-cut ts id.orig_h orig_bytes resp_bytes < conn.log ….etc
-Sam
-------
Sam Oehlert <soehlert at illinois.edu>
(217) 300-1076
Security Engineer
National Center for Supercomputing Applications
On Apr 2, 2013, at 7:19 PM, Michael Bower <mbower2 at gmail.com> wrote:
> Signed PGP part
> Im still learning, so bare with me. I ran the following command:
>
> bro-cut id.orig_h orig_bytes < conn.log \
> | sort \
> | awk '{ if (host != $1) { \
> if (size != 0) \
> print $1, size; \
> host=$1; \
> size=0 \
> } else \
> size += $2 \
> } \
> END { \
> if (size != 0) \
> print $1, size \
> }' \
> | sort -rnk 2 \
> | head -n 10
>
>
> This worked well to show me the top 10 hosts (originators). What Im
> trying to do is show the top 10 hosts and the time (ts). Maybe show
> the resp_bytes field too, if that is possible. Any help would be
> greatly appreciated.
>
> Thanks!
> - --
>
> Mike
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130403/8da6dfb1/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130403/8da6dfb1/attachment.bin
More information about the Bro
mailing list