[Bro] Help with Bro & ES

Daniel Guerra daniel.guerra69 at gmail.com
Wed Oct 21 11:20:27 PDT 2015 

I’m working on elastic for a while
I changed a bit on the elasticsearch source,
recompile after doing this.
sed -i "s/JSON::TS_MILLIS/JSON::TS_ISO8601/g" bro/aux/plugins/elasticsearch/src/ElasticSearch.cc <http://elasticsearch.cc/>

my conn.log looks like this in kibana check ts difference

{
  "_index": "bro-201509160700",
  "_type": "conn",
  "_id": "AVCLfROKixyabuRJCOlt",
  "_score": null,
  "_source": {
    "_timestamp": 1442388234879,
    "ts": "2015-09-16T07:16:54.185442Z",
    "uid": "Cv7R6a19zHzfu1H6U4",
    "id.orig_h": "192.168.1.122",
    "id.orig_p": 49428,
    "id.resp_h": "192.168.102.97",
    "id.resp_p": 514,
    "proto": "udp",
    "duration": 360.241984,
    "orig_bytes": 32096,
    "resp_bytes": 0,
    "conn_state": "S0",
    "missed_bytes": 0,
    "history": "D",
    "orig_pkts": 191,
    "orig_ip_bytes": 37444,
    "resp_pkts": 0,
    "resp_ip_bytes": 0,
    "tunnel_parents": []
  }

The next chalenge are coordinates from geoip ..

> On 21 Oct 2015, at 18:32, Chris Williams <cw13 at umbc.edu> wrote:
> 
> I mean... I think they look ok. Again, I understand that I have to learn how to organize the information in such a way that will make sense. This is an example of a conn message:
> 
> {
>   "_index": "bro-201510191500",
>   "_type": "conn",
>   "_id": "AVCBxqIWiyISA4W_6X6I",
>   "_score": 1,
>   "_source": {
>     "ts": 1445286221580,
>     "uid": "CG7qWz2Xgs7J8LcO5d",
>     "id.orig_h": "*.*.9.119",
>     "id.orig_p": 123,
>     "id.resp_h": "*.*.1.3",
>     "id.resp_p": 123,
>     "proto": "udp",
>     "duration": 0.0002,
>     "orig_bytes": 0,
>     "resp_bytes": 48,
>     "conn_state": "SHR",
>     "local_orig": false,
>     "local_resp": false,
>     "missed_bytes": 0,
>     "history": "Cd",
>     "orig_pkts": 0,
>     "orig_ip_bytes": 0,
>     "resp_pkts": 1,
>     "resp_ip_bytes": 76,
>     "tunnel_parents": []
>   }
> }
> 
> 
> 
> 
> Chris Williams 
> ---
> BS Information Systems - '16
> CWIT Y2 Cyber Scholar <http://cybersecurity.umbc.edu/cyberscholars/>
> Work: 5-0933
> Cell: (202) 596-5406
> 
> "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." Bruce Schneier
> 
> 
> On Wed, Oct 21, 2015 at 12:28 PM, Azoff, Justin S <jazoff at illinois.edu <mailto:jazoff at illinois.edu>> wrote:
> 
> > On Oct 21, 2015, at 12:16 PM, Chris Williams <cw13 at umbc.edu <mailto:cw13 at umbc.edu>> wrote:
> >
> > I recently installed Bro, and I am trying to get it to work with elastic search (with Kibana as a front end.) I have alerts getting to ES and it shows up in Kibana, but it is a mix of unintelligible json messages. For example, some don't have timestamps:
> 
> ...
> 
> >   "_type": "loaded_scripts",
> >
> 
> The loaded_scripts.log is 'special' and does not have timestamps.  How do entries from things like the conn.log or http.log look?
> 
> 
> --
> - Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151021/c746e65f/attachment-0001.html

More information about the Bro mailing list