Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Update CapME with a new option to query Bro conn.log via ELSA #348

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 3 comments
Closed

Comments

@GoogleCodeExporter
Copy link

- Extend Bro's conn.log to include the name of the Bro worker that saw 
the connection (HOSTNAME-INTERFACE). 
- Extend CapMe to query the ELSA API (instead of the Sguil sancp 
table) for the src/dst IP/port and parse the name of the worker out of 
the result. 
- CapMe then submits a cliscript request to the pcap_agent with the 
same name as the Bro worker (HOSTNAME-INTERFACE) to retrieve the 
transcript. 

https://groups.google.com/d/topic/security-onion/CpsJKY9yC04/discussion

Original issue reported on code.google.com by doug.bu...@gmail.com on 19 Jun 2013 at 2:11

@GoogleCodeExporter
Copy link
Author

Submitted to testers.

Original comment by doug.bu...@gmail.com on 4 Jul 2013 at 10:50

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Tested by:
Matt Gregory
David Zawdie
Michal Purzynski

Original comment by doug.bu...@gmail.com on 11 Jul 2013 at 10:21

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Published:
http://securityonion.blogspot.com/2013/07/new-securityonion-bro-scripts-and.html

Original comment by doug.bu...@gmail.com on 11 Jul 2013 at 11:24

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant