[Bro] Reviewing old logs with new scripts?
Daniel Thayer
dnthayer at illinois.edu
Wed Jul 8 11:13:15 PDT 2015
You can see a list of all bro-cut options by running
bro-cut -h
It should work with all ASCII Bro logs that contain the header lines
(lines starting with "#"). If your old logs are compressed then
you will need to do something like this:
zcat conn.log.gz | bro-cut
On 07/08/2015 06:54 AM, nortonperry at gmail.com wrote:
> Hey all,
> Apologies if this is not the place to ask this but I've got intel feeds
> working (criticalstack) for the past few days and was wondering if it is
> possible to interrogate existing logs with the new intel using bro-cut (
> I have months worth where there was a clear breach due to network
> misconfiguration?
> I guess it is possible, but would require more a shell based diff or
> something? I know you can replay packet dumps but it would appear not logs?
>
> Also, haven't seen this mentioned anywhere - with bro-cut what globbing
> / regular expression options are there? eg![].
>
> Thanx Pel
>
More information about the Bro
mailing list