[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"

Jesse Bowling jessebowling at gmail.com
Fri Mar 29 08:50:54 PDT 2013 

Hi James,

I asked a similar question under a subject like "Feature request; up to 50%
done?" and got this answer from Seth, which solves some of the problems I
think you're trying to solve...

Cheers,

Jesse

On Feb 11, 2013, at 4:17 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> So, I suppose I'm requesting that someone with more gawk chops than
myself give a shot at integrating this into bro-cut

I tend to use these lines in my profile...

alias bro-column="sed \"s/fields.//;s/types.//\" | column -s $'\t' -t"
alias bro-awk='awk -F"  "'
bro-grep() { grep -E "(^#)|$1" $2; }
bro-zgrep() { zgrep -E "(^#)|$1" $2; }

What you're trying to do can then be accomplished like this…

bro-zgrep '10.10.10.10' /usr/local/bro/logs/conn.*.log.gz | bro-cut
id.orig_h,id.resp_h

It *would* be handy to be able to do this through bro-cut though but that
would make bro-cut start to sound like an incorrectly named utility. :)

Have you tried using the ElasticSearch writer and Brownian?

  .Seth


On Fri, Mar 29, 2013 at 11:17 AM, James Lay <jlay at slave-tothe-box.net>wrote:

> Topic (sorta) says it.  Example:
>
> [08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light |
> bro-cut -d
>
> [08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d |
> grep light
> 2013-03-28T20:42:09-0600        X8KFdodB5Ie     x.x.x.x    55051
> x.x.x.x    53      udp     43494   www.lighting.com      1
> C_INTERNET      1       A       0       NOERROR F       F       T
> T       0       x.x.x.x    3600.000000
> [08:49:50 ids:~/broarchive/03-28-2013$]
>
> I'd like to grep out the content before sending to bro-cut as it takes
> a fraction of the time (as shown above).  I've made sure that no
> colorization is happening.  Any hints on how I can get this to fly?
> Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130329/980688e5/attachment.html

More information about the Bro mailing list