[Bro] Help with Bro & ES
Chris Williams
cw13 at umbc.edu
Thu Oct 22 10:24:35 PDT 2015
Thanks Mike and Justin,
Please excuse my ignorance... but what are the implications of doing this?
I would prefer Justin's method just in case I need to dive in.... but could
someone explain the significance of loaded_scripts?
On Thu, Oct 22, 2015 at 12:40 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
> One doesn't need to disable it entirely, you can just not send it to ES by
> using
>
> redef LogElasticSearch::excluded_log_ids += {LoadedScripts::LOG};
>
> --
> - Justin Azoff
>
> > On Oct 22, 2015, at 12:09 PM, Michael Wenthold <
> michael.wenthold at gmail.com> wrote:
> >
> > The easiest way might be to just disable the loaded scripts log by
> adding this to local.bro:
> >
> > event bro_init()
> > {
> > Log::disable_stream(LoadedScripts::LOG);
> > }
> >
> >
> >
> > On Thu, Oct 22, 2015 at 1:39 PM, Chris Williams <cw13 at umbc.edu> wrote:
> > Justin,
> >
> > I understand that "loaded scripts" is special, but it is creating issues
> with the index because there are no timestamps. Is there a recommended
> method for handling these messages?
> > --
> > Daniel- my connlog looks the same with the exception of "ts" which I
> assume you changed?
> > --
> >
> > Thanks
> >
> >
> > On Wed, Oct 21, 2015 at 2:20 PM, Daniel Guerra <
> daniel.guerra69 at gmail.com> wrote:
> > I’m working on elastic for a while
> > I changed a bit on the elasticsearch source,
> > recompile after doing this.
> > sed -i "s/JSON::TS_MILLIS/JSON::TS_ISO8601/g"
> bro/aux/plugins/elasticsearch/src/ElasticSearch.cc
> >
> > my conn.log looks like this in kibana check ts difference
> >
> > {
> > "_index": "bro-201509160700",
> > "_type": "conn",
> > "_id": "AVCLfROKixyabuRJCOlt",
> > "_score": null,
> > "_source": {
> > "_timestamp": 1442388234879,
> > "ts": "2015-09-16T07:16:54.185442Z",
> > "uid": "Cv7R6a19zHzfu1H6U4",
> > "id.orig_h": "192.168.1.122",
> > "id.orig_p": 49428,
> > "id.resp_h": "192.168.102.97",
> > "id.resp_p": 514,
> > "proto": "udp",
> > "duration": 360.241984,
> > "orig_bytes": 32096,
> > "resp_bytes": 0,
> > "conn_state": "S0",
> > "missed_bytes": 0,
> > "history": "D",
> > "orig_pkts": 191,
> > "orig_ip_bytes": 37444,
> > "resp_pkts": 0,
> > "resp_ip_bytes": 0,
> > "tunnel_parents": []
> > }
> >
> > The next chalenge are coordinates from geoip ..
> >
> >> On 21 Oct 2015, at 18:32, Chris Williams <cw13 at umbc.edu> wrote:
> >>
> >> I mean... I think they look ok. Again, I understand that I have to
> learn how to organize the information in such a way that will make sense.
> This is an example of a conn message:
> >>
> >> {
> >> "_index": "bro-201510191500",
> >> "_type": "conn",
> >> "_id": "AVCBxqIWiyISA4W_6X6I",
> >> "_score": 1,
> >> "_source": {
> >> "ts": 1445286221580,
> >> "uid": "CG7qWz2Xgs7J8LcO5d",
> >> "id.orig_h": "*.*.9.119",
> >> "id.orig_p": 123,
> >> "id.resp_h": "*.*.1.3",
> >> "id.resp_p": 123,
> >> "proto": "udp",
> >> "duration": 0.0002,
> >> "orig_bytes": 0,
> >> "resp_bytes": 48,
> >> "conn_state": "SHR",
> >> "local_orig": false,
> >> "local_resp": false,
> >> "missed_bytes": 0,
> >> "history": "Cd",
> >> "orig_pkts": 0,
> >> "orig_ip_bytes": 0,
> >> "resp_pkts": 1,
> >> "resp_ip_bytes": 76,
> >> "tunnel_parents": []
> >> }
> >> }
> >>
> >>
> >>
> >>
> >> Chris Williams
> >> ---
> >> BS Information Systems - '16
> >> CWIT Y2 Cyber Scholar
> >> Work: 5-0933
> >> Cell: (202) 596-5406
> >>
> >> "If you think technology can solve your security problems, then you
> don't understand the problems and you don't understand the technology."
> Bruce Schneier
> >>
> >>
> >> On Wed, Oct 21, 2015 at 12:28 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> >>
> >> > On Oct 21, 2015, at 12:16 PM, Chris Williams <cw13 at umbc.edu> wrote:
> >> >
> >> > I recently installed Bro, and I am trying to get it to work with
> elastic search (with Kibana as a front end.) I have alerts getting to ES
> and it shows up in Kibana, but it is a mix of unintelligible json messages.
> For example, some don't have timestamps:
> >>
> >> ...
> >>
> >> > "_type": "loaded_scripts",
> >> >
> >>
> >> The loaded_scripts.log is 'special' and does not have timestamps. How
> do entries from things like the conn.log or http.log look?
> >>
> >>
> >> --
> >> - Justin Azoff
> >>
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151022/3b4dd93a/attachment.html
More information about the Bro
mailing list