[Bro] Bro Digest, Vol 135, Issue 14
Philip Romero
promero at cenic.org
Thu Jul 13 07:24:10 PDT 2017
Seth,
Thanks a ton for the quick update!!!. Looks great.
1499954837.093491 137.164.83.xxx - HTTP::BROWSER Adobe Flash
Player Install Manager 26 0 0 137 CFNetwork/811
Adobe%20Flash%20Player%20Install%20Manager/26.0.0.137 CFNetwork/811.5.4
Darwin/16.6.0 (x86_64)
1499955553.719204 137.164.83.xxx - HTTP::BROWSER Flash 26
0 0 137 CFNetwork/811 Flash%20Player/26.0.0.137
CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)
Philip
On 7/12/17 11:53 PM, bro-request at bro.org wrote:
> Send Bro mailing list submissions to
> bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request at bro.org
>
> You can reach the person managing the list at
> bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: Get the license usage down in Splunk when indexing Bro
> logs (Mike Eriksson)
> 2. Re: Get the license usage down in Splunk when indexing Bro
> logs (fatema bannatwala)
> 3. Re: Bug Report - Software Framework - Flash Player Version
> Parsing (Seth Hall)
> 4. Re: Get the license usage down in Splunk when indexing Bro
> logs (Mike Eriksson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 12 Jul 2017 20:35:56 +0000
> From: Mike Eriksson <mike at swedishmike.org>
> Subject: Re: [Bro] Get the license usage down in Splunk when indexing
> Bro logs
> To: fatema bannatwala <fatema.bannatwala at gmail.com>
> Cc: bro <bro at bro.org>
> Message-ID:
> <CAMuthMfmpEfSBs0Rg9FOBE7tP6vdDgaaBPpizei6DDdsP=ZaEw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Fatema,
>
> Trying to filter out on types in the the files.log as well sounds like a
> great idea.
>
> We're a bit more limited as to what we can do ourselves when it comes to
> cloud Splunk but I'm sure they're more than happy to sell some PS time if
> need be. ;)
>
> Once again - many thanks for a very helpful suggestion.
>
> Cheers, Mike
>
> On Wed, Jul 12, 2017 at 9:14 PM fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> We only do filtering on conn logs, as they are the heaviest (in our
>> environment at least), before indexing it in Splunk.
>> Also, if you are ingesting files.log as well, then you can build some
>> similar filters in props and transforms for the
>> mime-type you can ignore (like plain/text etc), that will also reduce some
>> of the volume indexed by your Splunk cluster.
>> I do not know much about the cloud deployment, hence can't comment on that.
>>
>> Regards,
>> Fatema.
>>
>>
>> On Wed, Jul 12, 2017 at 3:51 PM, Mike Eriksson <mike at swedishmike.org>
>> wrote:
>>
>>> Hi Fatema,
>>>
>>> Thats looks ace - I'll definitely have to have a try at implementing
>>> that. Hopefully we'll be able to get that done even though we're on Cloud
>>> instances.
>>>
>>> Many thanks for this - it's really apprecaited.
>>>
>>> Cheers, Mike
>>>
>>> On Wed, Jul 12, 2017 at 8:43 PM fatema bannatwala <
>>> fatema.bannatwala at gmail.com> wrote:
>>>
>>>> Hi Mike,
>>>>
>>>> We also have something similar for brologs indexing in Splunk.
>>>> What we do currently is to drop all the connections whose history had
>>>> just a "Syn" and nothing else,
>>>> i.e dropping all the tcp connections that were just connection attempts.
>>>>
>>>> And the way we implemented it in Splunk, is with following filter on the
>>>> indexers:
>>>>
>>>> In props.conf:
>>>> [bro_conn_sourcetype]
>>>> TRANSFORMS-null= bro_conn_setnull
>>>>
>>>> In transforms.conf
>>>> [bro_conn_setnull]
>>>> REGEX = \b[S]{1}\b
>>>> DEST_KEY = queue
>>>> FORMAT = nullQueue
>>>>
>>>> Hope this helps.
>>>>
>>>> Thanks,
>>>> Fatema.
>>>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170712/40fdf668/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 12 Jul 2017 19:48:44 -0400
> From: fatema bannatwala <fatema.bannatwala at gmail.com>
> Subject: Re: [Bro] Get the license usage down in Splunk when indexing
> Bro logs
> To: Mike Eriksson <mike at swedishmike.org>
> Cc: bro <bro at bro.org>
> Message-ID:
> <CACX0rUTgYPUL3EVqqy9x8NiwFwyTgMuXCsGY45HmvNcJA6X2NQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey Mike,
>
> So just out of curiosity, I ran a quick search on the files.log for the
> past hour, to see
> the top most logged mime-types, and here is the top 12 mime-types in the
> file:
>
> 2630139 application/pkix-cert
> 366285 text/plain
> 259828 -
> 258732 image/gif
> 175465 text/html
> 142375 image/jpeg
> 116151 application/xml
> 103263 text/json
> 70691 image/png
> 48208 application/ocsp-response
> 18720 application/ocsp-request
> 16267 application/javascript
>
> The Splunk filter can be easily built to ignore or filter the logs with
> these mime-types (of-course, only if you don't
> want them in Splunk):
>
> In profs.conf:
> [bro_files_sourcetype]
> TRANSFORMS-null= bro_files_setnull
>
> In transforms.conf:
> [brol_files_setnull]
> REGEX =
> (application\/pkix-cert|text\/plain|image\/gif|text\/html|image\/jpeg)
> DEST_KEY = queue
> FORMAT = nullQueue
>
> You can add more mime-types in the above REGEX, to filter and send to null
> queue in Splunk.
> I added top five, just to give you an idea of how it can be implemented.
>
> Hope this helps. :)
>
> Thanks,
> Fatema.
>
> On Wed, Jul 12, 2017 at 4:35 PM, Mike Eriksson <mike at swedishmike.org> wrote:
>
>> Fatema,
>>
>> Trying to filter out on types in the the files.log as well sounds like a
>> great idea.
>>
>> We're a bit more limited as to what we can do ourselves when it comes to
>> cloud Splunk but I'm sure they're more than happy to sell some PS time if
>> need be. ;)
>>
>> Once again - many thanks for a very helpful suggestion.
>>
>> Cheers, Mike
>>
>> On Wed, Jul 12, 2017 at 9:14 PM fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>>
>>> We only do filtering on conn logs, as they are the heaviest (in our
>>> environment at least), before indexing it in Splunk.
>>> Also, if you are ingesting files.log as well, then you can build some
>>> similar filters in props and transforms for the
>>> mime-type you can ignore (like plain/text etc), that will also reduce
>>> some of the volume indexed by your Splunk cluster.
>>> I do not know much about the cloud deployment, hence can't comment on
>>> that.
>>>
>>> Regards,
>>> Fatema.
>>>
>>>
>>> On Wed, Jul 12, 2017 at 3:51 PM, Mike Eriksson <mike at swedishmike.org>
>>> wrote:
>>>
>>>> Hi Fatema,
>>>>
>>>> Thats looks ace - I'll definitely have to have a try at implementing
>>>> that. Hopefully we'll be able to get that done even though we're on Cloud
>>>> instances.
>>>>
>>>> Many thanks for this - it's really apprecaited.
>>>>
>>>> Cheers, Mike
>>>>
>>>> On Wed, Jul 12, 2017 at 8:43 PM fatema bannatwala <
>>>> fatema.bannatwala at gmail.com> wrote:
>>>>
>>>>> Hi Mike,
>>>>>
>>>>> We also have something similar for brologs indexing in Splunk.
>>>>> What we do currently is to drop all the connections whose history had
>>>>> just a "Syn" and nothing else,
>>>>> i.e dropping all the tcp connections that were just connection attempts.
>>>>>
>>>>> And the way we implemented it in Splunk, is with following filter on
>>>>> the indexers:
>>>>>
>>>>> In props.conf:
>>>>> [bro_conn_sourcetype]
>>>>> TRANSFORMS-null= bro_conn_setnull
>>>>>
>>>>> In transforms.conf
>>>>> [bro_conn_setnull]
>>>>> REGEX = \b[S]{1}\b
>>>>> DEST_KEY = queue
>>>>> FORMAT = nullQueue
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> Thanks,
>>>>> Fatema.
>>>>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170712/cc9518e9/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 13 Jul 2017 02:23:59 -0400
> From: Seth Hall <seth at corelight.com>
> Subject: Re: [Bro] Bug Report - Software Framework - Flash Player
> Version Parsing
> To: Philip Romero <promero at cenic.org>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID:
> <CAAAo3g_5FSDB=w9-iZfsHTzJ1OHa7s1=S828dEW8J6Kk_7NNDg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Oh, that's annoying. I fixed the issue in git master. Thanks for the report!
>
> https://github.com/bro/bro/commit/71c9945f266096e1e375461758ade515e9336692
>
> .Seth
>
> On Tue, Jul 11, 2017 at 2:25 PM, Philip Romero <promero at cenic.org> wrote:
>> All,
>>
>> I was looking into updating my vulnerability alert configuration and noticed
>> that the software framework may be incorrectly parsing the software version
>> for Adobe Flash Player. Please see the below example. The full string
>> details show the correct version (26.0.0.137), but the parsed versions that
>> I believe the vulnerability scripts read for major and minor versions looks
>> to be grabbing the "20" from that portion of the syntax in the full string.
>>
>> This email is information in case anyone actively updates the software
>> framework. I'll see if I can try to work it a bit on my local development
>> system as time permits. Thanks.
>>
>> Example Log:
>> 1499796686.729596 137.164.83.xxx - HTTP::BROWSER Flash% 20
>> - - - Player/26 Flash%20Player/26.0.0.137 CFNetwork/811.5.4
>> Darwin/16.6.0 (x86_64)
>>
>> --
>> Philip Romero, CISSP, CISA
>> Sr. Information Security Analyst
>> CENIC
>> promero at cenic.org
>> Phone: (714) 220-3430
>> Mobile: (562) 237-9290
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170713/5eea1aef/attachment.html
More information about the Bro
mailing list