philrz
commented
3 years ago Verified in scratch release artifact Brim-rc-v0.20.0-suricata18.dmg.
Now I can reliably join on Community ID values, even when they contain forward slashes. For instance, using the wrccdc.2018-03-23.010014000000000.pcap.gz that I often use for smoke testing, first I grab all the Suricata alerts:
Then let's say I pivot to the "Potentially bad traffic" ones.
Double-clicking the top event, we see in Log Details that this one has a Community ID value containing a forward slash.
I can now right-click and do a "New search with this value" and see the multiple Suricata alerts for this connection, also joined with the Zeek conn record that shares the same Community ID value.
Thanks @henridf!
Per https://github.com/brimsec/zq/issues/1687#issuecomment-732813121, @henridf has discovered that we can make the Community ID values in the EVE JSON log line up with the ones from Zeek if we change the suricata.yaml escape-slash config to "no" (https://suricata.readthedocs.io/en/suricata-6.0.0/output/eve/eve-json-output.html#json-flags).