[Bro] smb_files.log, logstash, and kibana
Patrick Kelley
patrick.kelley at criticalpathsecurity.com
Tue Aug 7 07:36:14 PDT 2018
We're not really solving Erik's problem by recommending a switch to json.
If anything, it aggravates the situation as it will throw additional logs
entry failures on one of the noisiest protocols analyzed.
This activity causes a parsing issue.
The field output from the smb protocol scripts will have to rewrite the
field name. I've done this in the past with NB, but I don't recall the
exact details.
I'll see what I can rundown from my notes.
On Tue, Aug 7, 2018 at 10:11 AM, erik clark <philosnef at gmail.com> wrote:
> Yes, I am using json output.
>
>
> On Tue, Aug 7, 2018 at 9:36 AM, jose antonio izquierdo lopez <
> jizquierdo at owlh.net> wrote:
>
>> Hi, are you using bro - json output? if not maybe this will make your
>> life easier when integrating with ES.
>>
>>
>>
>> Best Regards,
>>
>> Jose Antonio Izquierdo
>> m - +34 673 055 255
>> skype - izquierdo.lopez <https://join.skype.com/invite/aHkpSVL1sz8Q>
>>
>>
>>
>>
>>
>> On Tue, Aug 7, 2018 at 2:43 PM erik clark <philosnef at gmail.com> wrote:
>>
>>> I have a field name collision on "path". Logstash is pushing into ES a
>>> field of "path" with the file path on disk to the log being monitored.
>>>
>>> In smb_files.log, path refers to the path on disk of the file being
>>> written by smb. How would this best be resolved?
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180807/c935fbb8/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.PNG
Type: image/png
Size: 5138 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180807/c935fbb8/attachment.bin
More information about the Bro
mailing list