[Bro] quick question

[Allen, Brian]

Awesome.  Thanks.  I'm still wandering around the bro directories learning
where everything is.
Thanks,
-Brian

-----Original Message-----
From: <Castle>, Shane <scastle at bouldercounty.org>
Date: Tuesday, April 30, 2013 3:37 PM
To: Brian Allen <brianallen at wustl.edu>, "'bro at bro.org'" <bro at bro.org>
Subject: RE: quick question

The Bro documentation area is strangely lacking in some respects. The
command you are looking for is bro-cut, a powerful little script that can
display a human-readable timestamp and also display only the fields of the
log files that you are interested in, and rearrange them if you want. The
main thing to remember is that it's a classic stdin->stdout command and
does not operate on the filename:
"bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p
<conn.log" for example.

Or, after the archiving has been done:

ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn |
bro-cut -d );done | fgrep 192.168.131.135 | less

This would be if, for instance, your system's clock was running in UTC
(which mine is).

-- 
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Allen,
Brian
Sent: Tuesday, April 30, 2013 14:02
To: bro at bro.org
Subject: [Bro] quick question

Hi, I installed Bro here and I can already tell it is extremely useful.
I'm just learning how to use it so I have lots of questions.  Here are a
couple quick ones:

When parsing through the bro log files, how do I turn the timestamp column
into something human readable?  Where would I go to find this answer on my
own?  Is there a newbie guide to bro I should be reading?  I don't see how
to search this mailing list's archives.

Thanks,
-Brian

Brian Allen
Network Security Analyst
Washington University