This repository was archived by the owner on Apr 16, 2021. It is now read-only.
This repository was archived by the owner on Apr 16, 2021. It is now read-only.
Update CapME with a new option to query Bro conn.log via ELSA #348
Description
- Extend Bro's conn.log to include the name of the Bro worker that saw
the connection (HOSTNAME-INTERFACE).
- Extend CapMe to query the ELSA API (instead of the Sguil sancp
table) for the src/dst IP/port and parse the name of the worker out of
the result.
- CapMe then submits a cliscript request to the pcap_agent with the
same name as the Bro worker (HOSTNAME-INTERFACE) to retrieve the
transcript.
https://groups.google.com/d/topic/security-onion/CpsJKY9yC04/discussion
Original issue reported on code.google.com by doug.bu...@gmail.com on 19 Jun 2013 at 2:11