Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Update CapME with a new option to query Bro conn.log via ELSA #348

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 3 comments

Comments

Projects
None yet
1 participant
- Extend Bro's conn.log to include the name of the Bro worker that saw 
the connection (HOSTNAME-INTERFACE). 
- Extend CapMe to query the ELSA API (instead of the Sguil sancp 
table) for the src/dst IP/port and parse the name of the worker out of 
the result. 
- CapMe then submits a cliscript request to the pcap_agent with the 
same name as the Bro worker (HOSTNAME-INTERFACE) to retrieve the 
transcript. 

https://groups.google.com/d/topic/security-onion/CpsJKY9yC04/discussion

Original issue reported on code.google.com by doug.bu...@gmail.com on 19 Jun 2013 at 2:11

Submitted to testers.

Original comment by doug.bu...@gmail.com on 4 Jul 2013 at 10:50

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****
Tested by:
Matt Gregory
David Zawdie
Michal Purzynski

Original comment by doug.bu...@gmail.com on 11 Jul 2013 at 10:21

  • Added labels: ****
  • Removed labels: ****
Published:
http://securityonion.blogspot.com/2013/07/new-securityonion-bro-scripts-and.html

Original comment by doug.bu...@gmail.com on 11 Jul 2013 at 11:24

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment