[Bro] quick question

Vlad Grigorescu vladg at cmu.edu
Tue Apr 30 13:44:00 PDT 2013 

Hey Brian,

As Shane mentioned, bro-cut is one way to make better sense of your logs. There's some additional information about working with your logs available from the Bro Workshop, at: <http://www.bro.org/bro-workshop-2011/> (Exercise 2). If you're new to Bro, I'd definitely recommend checking out the Bro Workshop exercises. There are videos and a lot of hands-on questions and solutions for many day-to-day tasks with Bro.

Another way of converting timestamps is simply with the date command (I often resort to this when I just need a single timestamp):

> $ date -d @1367064229.605422
> Sat Apr 27 08:03:49 EDT 2013

Hope this helps,

  --Vlad

On Apr 30, 2013, at 4:37 PM, "Castle, Shane" <scastle at bouldercounty.org> wrote:

> The Bro documentation area is strangely lacking in some respects. The command you are looking for is bro-cut, a powerful little script that can display a human-readable timestamp and also display only the fields of the log files that you are interested in, and rearrange them if you want. The main thing to remember is that it's a classic stdin->stdout command and does not operate on the filename: 
> "bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p <conn.log" for example.
> 
> Or, after the archiving has been done:
> 
> ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn | bro-cut -d );done | fgrep 192.168.131.135 | less
> 
> This would be if, for instance, your system's clock was running in UTC (which mine is).
> 
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
> 
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Allen, Brian
> Sent: Tuesday, April 30, 2013 14:02
> To: bro at bro.org
> Subject: [Bro] quick question
> 
> Hi, I installed Bro here and I can already tell it is extremely useful.  I'm just learning how to use it so I have lots of questions.  Here are a couple quick ones:
> 
> When parsing through the bro log files, how do I turn the timestamp column into something human readable?  Where would I go to find this answer on my own?  Is there a newbie guide to bro I should be reading?  I don't see how to search this mailing list's archives.
> 
> Thanks,
> -Brian
> 
> Brian Allen
> Network Security Analyst
> Washington University
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list