[Bro] An assist with Splunk addon

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Fri May 18 10:15:50 PDT 2018


Echoing the same, but with some additional insight.  When app developers
build out a TA and Splunk app, they generally make a best effort to
anticipate what index and sourcetype an individual's data will claim when
ingested.  Sometimes that will fail.

However, this generally isn't very hard to remedy.  If you do the
following, you should be able to associate the proper information.

In the search window, you should be able to find the sourcetype and source
that is correlated with your Bro data.  With that information, go to the
Corelight App and press the "edit" button in the top right-hand corner of
the window.  You should then see some magnifying glass icons on the
panels.  If you click on those, you can substitute the sourcetype and
source data in the search query.  When you press "Save", the panels should
refresh and render your data.

If this isn't helpful, I apologize.

Feel free to reach out if you'd like more assistance.

-PK

On Fri, May 18, 2018 at 12:41 PM, Samuel Oehlert <soehlert at es.net> wrote:

> I haven't played with the Corelight App so I'm not sure what the index
> names they're looking for are, but usually I've found when TAs don't show
> anything, yet I can see it search, it's because the index name is not the
> same.
>
> - Sam
>
> On Thu, May 17, 2018 at 3:00 PM James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Ok....so now I see data when searching:
>>
>> sourcetype="conn"
>>
>> However the Corelight App proper shows no info....any other hints?  Thank
>> you.
>>
>> James
>>
>> On 2018-05-17 11:39, James Lay wrote:
>>
>> Thanks all...puts me on the right track.
>>
>> James
>>
>>
>>
>> On 2018-05-17 11:19, Steve Brant wrote:
>>
>> This is because the indexer (listener) is expecting Splunk "cooked" data.
>> Your inputs.conf setting on the indexer is probably something like:
>>
>> [tcp://:9997]
>>
>> it should be:
>>
>> [splunktcp://:9997]
>>
>> https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf
>>
>> Steve
>>
>> On Thu, May 17, 2018 at 9:37 AM James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>>> All,
>>>
>>> So I've been dabbling with Splunk, Bro, and the Corelight apps.  I setup
>>> a listener, installed the App on the Splunk server, and installed the
>>> Universal Forwarder (just trying it out; I know I can just use
>>> rsyslog/syslog-ng) on the machine that's running bro, pointed the Universal
>>> Forwarder to a listener, and install the TA addon on the machine running
>>> bro and the Universal Forwarder.  Alas, my output is...unexpected:
>>>
>>>
>>> Anyone have any hints on what the issue might be?  Thank you.
>>>
>>> James
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180518/9ca99033/attachment-0001.html 


More information about the Bro mailing list