search

caliskanfurkan / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

BRO_FILE class pattern missing field #154

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The patterndb.xml entry introduced in r921 to classify bro notice logs of type 
http::md5 as BRO_FILE needs one more field "tcp" to match the logs properly.

After updating, the logs are still falling under BRO_NOTICE.

Please provide any additional information below.
I put "tcp|" before the "HTTP::MD5" string:

FROM:
<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTR
ING:i3:|@HTTP::MD5|@IPv4::@ @ESTRING:s0: 
@http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@</pattern>

TO:
<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTR
ING:i3:|@tcp|HTTP::MD5|@IPv4::@ @ESTRING:s0: 
@http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@</pattern>

Here is an example log:
1371180906.849138|GLpYlrVYE0l|10.0.0.7|44187|74.52.165.218|80|tcp|HTTP::MD5|10.0
.0.7 b36b2e3ca24d80973c59bfbda1c4800b 
http://fs11.filehippo.com/1353/42ab94ae8a164732b8115b00fddfbafb/ccsetup402.exe|b
36b2e3ca24d80973c59bfbda1c4800b|10.0.0.7|74.52.165.218|80|-|worker-1|Notice::ACT
ION_LOG|6|3600.000000|F|-|-|-|-|-|-|-|-

Original issue reported on code.google.com by kebut...@gmail.com on 14 Jun 2013 at 4:10

GoogleCodeExporter commented 9 years ago 
I added another pattern to account for tcp, but left the other in case it's a 
difference in Bro versions.  Thanks!

Original comment by mchol...@gmail.com on 14 Jun 2013 at 1:10