[Bro] Help with Bro & ES

Chris Williams cw13 at umbc.edu
Wed Oct 21 09:32:27 PDT 2015


I mean... I think they look ok. Again, I understand that I have to learn
how to organize the information in such a way that will make sense. This is
an example of a conn message:































*{  "_index": "bro-201510191500",  "_type": "conn",  "_id":
"AVCBxqIWiyISA4W_6X6I",  "_score": 1,  "_source": {    "ts":
1445286221580,    "uid": "CG7qWz2Xgs7J8LcO5d",    "id.orig_h":
"*.*.9.119",    "id.orig_p": 123,    "id.resp_h": "*.*.1.3",
"id.resp_p": 123,    "proto": "udp",    "duration": 0.0002,
"orig_bytes": 0,    "resp_bytes": 48,    "conn_state": "SHR",
"local_orig": false,    "local_resp": false,    "missed_bytes": 0,
"history": "Cd",    "orig_pkts": 0,    "orig_ip_bytes": 0,    "resp_pkts":
1,    "resp_ip_bytes": 76,    "tunnel_parents": []  }}*


Chris Williams
---
BS Information Systems - '16
CWIT Y2 Cyber Scholar <http://cybersecurity.umbc.edu/cyberscholars/>
Work: 5-0933
Cell: (202) 596-5406

"If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology." Bruce
Schneier


On Wed, Oct 21, 2015 at 12:28 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Oct 21, 2015, at 12:16 PM, Chris Williams <cw13 at umbc.edu> wrote:
> >
> > I recently installed Bro, and I am trying to get it to work with elastic
> search (with Kibana as a front end.) I have alerts getting to ES and it
> shows up in Kibana, but it is a mix of unintelligible json messages. For
> example, some don't have timestamps:
>
> ...
>
> >   "_type": "loaded_scripts",
> >
>
> The loaded_scripts.log is 'special' and does not have timestamps.  How do
> entries from things like the conn.log or http.log look?
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151021/533dac07/attachment.html 


More information about the Bro mailing list