[Zeek] Some troubles with Corelight's Splunk app using Zeek 3.0.2

Carlos Lopez clopmz at outlook.com
Mon Mar 2 03:43:48 PST 2020


Good morning,

 I've been using the Corelight's Splunk application for several days now with only one sensor and everything works fine except for the "Data Exploration/Connections" view. It never shows me any results, it always shows "No results found". I have been debugging the searches with the option "inspect" and it is correct: none of those searches can return results.

 An example: for Top Services view, Corelight's app performs the following search:

search (NOT sensor_name!="*" id_orig_h="*" id_orig_p="*" id_resp_h="*" id_resp_p="*" NOT is_broadcast="true" service="*" (eventtype=bro_conn OR eventtype=corelight_conn)) | top service limit=15

 and without result. But If I use the following search in Splunk's general view:

 search (NOT is_broadcast="true" (eventtype=corelight_conn)) | top service limit=15

 I get results as you can see in the screenshot attached.

 Am I doing something wrong or is it a bug?

 Many thaks



Regards,
C. L. Martinez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: corelight.png
Type: image/png
Size: 36459 bytes
Desc: corelight.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200302/0d2bc211/attachment-0001.bin 


More information about the Zeek mailing list