[Bro] gluing together suricata and bro alerts in kibana
erik clark
philosnef at gmail.com
Mon Apr 2 06:22:15 PDT 2018
I am trying to make splunk like searchs in Kibana, but can't figure out how
the syntax works.
EG:
I have alert.signature == myalert, with http.hostname == somedomain.
In bro, I rewrote host to http_host, and want to see the intersection of:
conn.log (conn id)
http.log (http.hostname from suricata events linked to http_host bro
events here)
alert.signature (from suricata events)
So the result would be in a table I would hope, or soething like that:
http_host, http.http_content_type, http.http_method, http.http_user_agent,
http.http_response_body_printable, payload_printable, fileinfo.filename,
dest_ip, src_ip, conn_id
Drop down events like what you normally get would be fine as well. Hope
this helps explain what I am trying to do. I am still struggling with
lucerne search syntax and the front end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180402/9dd4831e/attachment.html
More information about the Bro
mailing list