[Bro] Feature Request, up to 50% done?
Seth Hall
seth at icir.org
Tue Feb 12 12:43:53 PST 2013
On Feb 11, 2013, at 4:17 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> So, I suppose I'm requesting that someone with more gawk chops than myself give a shot at integrating this into bro-cut
I tend to use these lines in my profile...
alias bro-column="sed \"s/fields.//;s/types.//\" | column -s $'\t' -t"
alias bro-awk='awk -F" "'
bro-grep() { grep -E "(^#)|$1" $2; }
bro-zgrep() { zgrep -E "(^#)|$1" $2; }
What you're trying to do can then be accomplished like this…
bro-zgrep '10.10.10.10' /usr/local/bro/logs/conn.*.log.gz | bro-cut id.orig_h,id.resp_h
It *would* be handy to be able to do this through bro-cut though but that would make bro-cut start to sound like an incorrectly named utility. :)
Have you tried using the ElasticSearch writer and Brownian?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list