Skip to content
Add VLAN tags to all Bro logs
Branch: master
Clone or download
sethhall Merge pull request #1 from JustinAzoff/JustinAzoff-patch-1
Use new_connection to match udp and incomplete tcp
Latest commit 8909e93 Apr 19, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts Use new_connection to match udp and incomplete tcp Apr 19, 2019
COPYING Initial commit. Oct 27, 2017
README.rst Adding an authors section. Oct 27, 2017
bro-pkg.meta Initial commit. Oct 27, 2017

README.rst

Add VLAN tags to all Bro logs

This script adds VLAN tags to all of the Bro logs that have the conn_id (id) field.

Installation

bro-pkg refresh
bro-pkg install corelight/log-add-vlan-everywhere

Usage

All Bro logs that contain connection information with the c$id field should have fields that indicate VLAN tags (named vlan and inner_vlan).

Potential Side Effects

There are potential side effects from loading this script if another script is indexing tables based on the c$id field. This generally is not done in most modern scripts and is not done in the core Bro distribution anywhere.

This script tries to avoid potential trouble with this indexing issue by only grabbing the VLAN information from the connection_established event because any other script that uses c$id for indexing would probably always get the value that was collected already anyway.

If you think that this script is impacting any other script please reach out to us at support@corelight.com and let us know what script you think it might be impacting.

Authors

Nate Guagenti @neu5ron Seth Hall <seth@corelight.com>

You can’t perform that action at this time.