set zeek.uid to conn_uids for files.log entries #33
Assignees
Projects
Comments
mmguero
added
logstash
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jan 25, 2021
|
Fixed in 2.6.1. |
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Feb 5, 2021
Malcolm v2.6.1 contains the following changes: v2.6.0...v2.6.1 * Added [TFTP](https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol) [Zeek parser](https://github.com/zeek/spicy-tftp) and corresponding Logstash parsing, Arkime WISE support and Kibana dashboards * Provide browser-based access to zeek/extracted-files directory (idaholab#34) * Fix LDAP analyzer not parsing all events (idaholab#35) * Provide more fine-tuned controls for Zeek's node.cfg in Hedgehog sensor (idaholab#36, /pull/158) * set zeek.uid to conn_uids for files.log entries (idaholab#33) * Modify Zeek build chain to use default GCC compilers instead of LLVM/clang,which reduces build dependencies * Use Firefox instead of Chromium for browser in ISO-installed versions of Malcolm and in Hedgehog Linux * Updated copyright notices in text from "2020" to "2021" (which is the bulk of the changed files in this commit) * Version bumps * Yara to 4.0.4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It appears that for (at least some) files.log entries, the FUID is getting set for both zeek.uid and zeek.fuid. It would be more useful to put the connection ID(s) in zeek.uid.
The text was updated successfully, but these errors were encountered: