[Bro] files.log
erik clark
philosnef at gmail.com
Thu Sep 29 04:42:47 PDT 2016
Sorry, last post. Found
http://mailman.icsi.berkeley.edu/pipermail/bro/2014-April/006893.html. This
is inline with what I was discovering from my files.log. I will see if I
can expand the framework to do correlation to get this info.
On Thu, Sep 29, 2016 at 7:33 AM, erik clark <philosnef at gmail.com> wrote:
> As an aside, even after disabling pe_xor (out of curiosity), we are still
> not seeing the filenames. Out of 74,000 file.log entries, only 620 have
> filenames. Of those, 99.52% of them are f.txt filenames (from google)....
>
> On Thu, Sep 29, 2016 at 7:22 AM, erik clark <philosnef at gmail.com> wrote:
>
>> According to splunk/files.log, these list "pe_xor, md5, sha1,sha256" in
>> the analyzer section. Its actually a lot more than that, and slight
>> variations. Generally speaking, almost every entry is a variant of that 4
>> analyzers. Could this be an issue with the pe_xor module? Moreover, files
>> that we have filenames for (f.txt from google for instance) have the same
>> analyzers running as well.
>>
>> On Wed, Sep 28, 2016 at 10:16 PM, Seth Hall <seth at icir.org> wrote:
>>
>>>
>>> > On Sep 28, 2016, at 1:50 PM, erik clark <philosnef at gmail.com> wrote:
>>> >
>>> > 98% of all entries in our files.log are null values. Is this to be
>>> expected?
>>>
>>> What analyzers are the files coming from?
>>>
>>> .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/d6b0d817/attachment.html
More information about the Bro
mailing list