[Bro] quick question
James Lay
jlay at slave-tothe-box.net
Tue Apr 30 16:57:04 PDT 2013
I made two scripts…findbro and zfindbro…I run findbro in current, and zfindbro in the archive dirs:
egrep -h "^#|$1" * | bro-cut -d
zegrep -h "^#|$1" * | bro-cut -d
Then just put in a host or ip or domain and you'll get everything on it…from dns lookups to connections.
James
On Apr 30, 2013, at 2:29 PM, Daniel Thayer <dnthayer at illinois.edu> wrote:
> On 04/30/2013 03:01 PM, Allen, Brian wrote:
>> Hi, I installed Bro here and I can already tell it is extremely useful.
>> I'm just learning how to use it so I have lots of questions. Here are
>> a couple quick ones:
>>
>> When parsing through the bro log files, how do I turn the timestamp
>> column into something human readable? Where would I go to find this
>> answer on my own? Is there a newbie guide to bro I should be reading?
>> I don't see how to search this mailing list's archives.
>>
>> Thanks,
>> -Brian
>>
>> Brian Allen
>> Network Security Analyst
>> Washington University
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> There's a command "bro-cut" that should be installed in
> the same directory as "bro". Run bro-cut with an invalid
> option (such as "bro-cut -x") and it will output a usage
> message. There are several command-line options to convert
> timestamps to human-readable format.
>
> If you look at any email that was sent out to the mailing list,
> there is a link to the mailing list archives at the bottom
> of the message.
>
> The Bro documentation is at http://bro.org/documentation/index.html
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list