[Bro] Another assist with Bro and Splunk
Brandon Glaze
bglaze at gmail.com
Tue Jun 19 13:27:57 PDT 2018
I have had a few open tickets with Splunk to update the Bro-IDS Splunk app,
but to no avail. PacketSled, a Bro based security tool, has alluded to the
fact that they plan to publish an open source based Bro Splunk App. I also
wanted to say that if you use the intel framework on Bro, you will have to
add your own props and transforms entries, but there are some out on the
internet others have done. I did a lot of work getting Bro logs into Azure
HDInsight (Microsoft Hadoop), but am have only done the basics on writing
extractions for Bro in Splunk. Thankfully the tab based delimiters make
field extraction relatively painless in search time field extractions in
Splunk.
Good luck, and maybe we can all find a place to share our Splunk files to
help others...
=====================
Brandon Glaze
bglaze at gmail.com
"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr
On Tue, Jun 19, 2018 at 1:00 PM, Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> wrote:
> Glad to hear/see that you have it sorted.
>
> Yes. It’s an increase. Yes. Cutting them up in Splunk is much easier than
> Logstash.
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
>
>
> On Jun 19, 2018, at 12:54 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> Appreciate that thanks Stephen....just making my own field extractions as
> we speak(type?)...easier than logstash ;)
>
> James
>
> On 2018-06-19 10:39, Hosom, Stephen M wrote:
>
> Careful with the JSON logs. They use significantly more index.
>
> That add-on does work with some minor modifications.
>
> You’ll need to add a local transforms.conf to define a new REGEX and
>
> you’ll probably want to turn off the pcap monitor.
>
> [BroAutoType]
>
> REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9_]+)\.log
>
> From: <bro-bounces at bro.org> on behalf of Patrick Kelley
>
> <patrick.kelley at criticalpathsecurity.com>
>
> Date: Tuesday, June 19, 2018 at 12:20 PM
>
> To: "jlay at slave-tothe-box.net" <jlay at slave-tothe-box.net>
>
> Cc: Bro-IDS <bro at bro.org>
>
> Subject: Re: [Bro] Another assist with Bro and Splunk
>
> Message received from outside the Battelle network. Carefully examine
>
> it before you open any links or attachments.
>
> Typically, I just ingest the json logs without issue.
>
> Are you experiencing a particular issue?
>
> Patrick Kelley, CISSP, C|EH, ITIL
>
> CTO
>
> patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley@
> criticalpathsecurity.com <patrick.kelley at criticalpathsecurity.com>>
>
> On Jun 19, 2018, at 8:56 AM, James Lay
>
> <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net
> <jlay at slave-tothe-box.net>>> wrote:
>
> So...before I recreate the wheel I thought I'd fire this here.
>
> Situation:
>
> bro 2.5.4 on a box
>
> shipping off conn and ssl logs via rsyslog to another box
>
> So I've looked at:
>
> https://splunkbase.splunk.com/app/1617/#/overview
>
> but this appears pretty old. So...before I go through the grueling
>
> process of manually getting field extractions, I'm betting someone else
>
> has already done the splunk-ish work. Thanks for any assistance.
>
> James
>
> _______________________________________________
>
> Bro mailing list
>
> bro at bro-ids.org<mailto:bro at bro-ids.org <bro at bro-ids.org>>
>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180619/49a01768/attachment-0001.html
More information about the Bro
mailing list