[Bro] Producer Consumer Ratio Script Released

James Lay jlay at slave-tothe-box.net
Fri Aug 22 11:34:04 PDT 2014 

On 2014-08-22 12:21, James Lay wrote:
> On 2014-08-22 12:10, Robert Rotsted wrote:
>> Hi all,
>>
>> As announced at BroCon, Reservoir Labs will be releasing a few Bro
>> scripts to the community that we hope you will enjoy!
>>
>> The first script was released a few minutes ago. It implements the
>> Producer Consumer Ratio described by Carter Bullard and John Gerth 
>> at
>> FloCon 2014.
>>
>> This script is located in the following Git repo:
>> https://github.com/reservoirlabs/bro-producer-consumer-ratio
>>
>> If you have any questions or comments feel free to reach out.
>>
>> Best,
>>
>> Bob
>
> Testing this in dev now....I'll have to tweak my logstash for the new
> column, but it looks pretty tasty...thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Snazzy:

[12:31:45 analysis:~/current$] head pcr.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   pcr
#open   2014-08-22-12-29-23
#fields ts      src     pcr     summary_interval
#types  time    addr    double  interval
1408732163.900788       192.168.1.253   1.0     60.000000
1408732223.903164       192.168.1.6     -1.0    60.000000

[12:32:11 analysis:~/current$] head conn.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   conn
#open   2014-08-22-12-28-55
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       
id.resp_p       proto   service duration        orig_bytes      
resp_bytes      conn_state      local_orig      missed_bytes    history 
orig_pkts       orig_ip_bytes   resp_pkts       resp_ip_bytes   
tunnel_parents  pcr
#types  time    string  addr    port    addr    port    enum    string  
interval        count   count   string  bool    count   string  count   
count   count   count   set[string]     double
1408732115.010821       CWQXXpe4ylnesmVAi       x.x.x.x.x        5353   
ff02::fb        5353    udp     dns     3.003461        129     0       
S0      F       0       D       3       273     0       0       (empty) 
-
1408732115.010972       C3ZDEP2vCdSWZkGsnd      192.168.1.253   5353    
224.0.0.251     5353    udp     dns     3.003392        129     0       
S0      T       0       D       3       213     0       0       (empty) 
1.0

James

More information about the Bro mailing list