[Bro] Running racluster but with a time frame
Jesse Bowling
jessebowling at gmail.com
Thu Aug 28 10:50:34 PDT 2014
Hi Monah,
You probably meant to email the argus listserv, or possibly the security onion listserv...But since you asked, you should be able to:
> racluster -r argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr trans -t 10h+15m
Much more detail can be found in the man page for ra...It’s quite a flexible option.
Cheers,
Jesse
On Aug 28, 2014, at 1:18 PM, Monah Baki <monahbaki at gmail.com> wrote:
> Hi all,
>
>
> I need to run the following command "racluster -r
> argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr
> trans" but to display only events from 10:00am to 10:15am.
>
>
> How can I accomplish this?
>
>
>
> Thanks
> Monah
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list