All Apps and Add-ons

Splunk Add-on for Bro IDS: How can I contribute to this app?

renaudholcombe
Engager

I've been using the Bro add-on and it's been working well, but there are a couple serious problems that I've run into while using it:

  1. I ended up with thousands of sourcetypes for "too-small" each prefixed with the MD5 hash of the pcap file (seems to be a problem with the PREFIX_SOURCETYPE settings in props.conf combined with the use of the MD5 hash of the pcap file in the log filename) that overloaded the parsing engine.

  2. This might have to be something that needs tuning on the pcap capture side, but at least once a day there will be a failure to read the pcap file (possibly due to the file being rolled over before processing can occur) and this will completely crash the part of the plugin that invokes bro (pcap_monitor.py) that requires either a full restart of splunk or enabling/disabling the plugin to bring it back up.

I dug around in the source code for the add-on and the fixes for both seem pretty straightforward and I was wondering what if any procedure there would be for me to contribute those to you (since it's Splunk-built) for inclusion in a new release of the add-on. I'm also looking into making any modifications necessary to support bro 2.5.x (so far, it's been working well with a modification or two).

Thanks!

1 Solution

lfedak_splunk
Splunk Employee
Splunk Employee

Hello @renaudholcombe, I just sent you an email to connect you with two members of the product team. They'd love to chat with you about the add-on.

View solution in original post

kevinmd_2
New Member

Thank you for the info!

0 Karma

renaudholcombe
Engager

@kevinmd_2, I'll have to look further to confirm, but I believe the only changes were to the bro.seed file and possibly to the bro.local file to remove some deprecated references. There's still a quirk with processing intel logs, but I haven't had a chance to look deeper into that.

0 Karma

kevinmd_2
New Member

Hello renaudholcombe. I am looking to deploy this add-on for BroIDS 2.5 as well. You had mentioned it is working well for you with a few minor modifications. I was wondering if you could share any tips in regards to your experience in getting this to work?

Thanks!

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hello @renaudholcombe, I just sent you an email to connect you with two members of the product team. They'd love to chat with you about the add-on.

mnmblair
Explorer

I too have been using the app for some time and really appreciate it. How can we recommend a change this app? I would like to modify the auto sourcetyping in transforms.conf. Currently ,it does not account for log filename formats with underscore, i.e. smb_files.log. This puts files.log and smb_files.log in same sourcetype. The modbus_register_change.log is mapped to bro_change sourcetype.

Current: 

REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9]+)\.log

Recommended Change:

One capture group with entire filename in current Bro/Zeek naming convention format.

REGEX =([a-zA-Z0-9\_]+)\.log

This will make all log filenames sourcetypes with bro_ appended to it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...