I've been using the Bro add-on and it's been working well, but there are a couple serious problems that I've run into while using it:
I ended up with thousands of sourcetypes for "too-small" each prefixed with the MD5 hash of the pcap file (seems to be a problem with the PREFIX_SOURCETYPE settings in props.conf combined with the use of the MD5 hash of the pcap file in the log filename) that overloaded the parsing engine.
This might have to be something that needs tuning on the pcap capture side, but at least once a day there will be a failure to read the pcap file (possibly due to the file being rolled over before processing can occur) and this will completely crash the part of the plugin that invokes bro (pcap_monitor.py) that requires either a full restart of splunk or enabling/disabling the plugin to bring it back up.
I dug around in the source code for the add-on and the fixes for both seem pretty straightforward and I was wondering what if any procedure there would be for me to contribute those to you (since it's Splunk-built) for inclusion in a new release of the add-on. I'm also looking into making any modifications necessary to support bro 2.5.x (so far, it's been working well with a modification or two).
Thanks!
Hello @renaudholcombe, I just sent you an email to connect you with two members of the product team. They'd love to chat with you about the add-on.
Thank you for the info!
@kevinmd_2, I'll have to look further to confirm, but I believe the only changes were to the bro.seed file and possibly to the bro.local file to remove some deprecated references. There's still a quirk with processing intel logs, but I haven't had a chance to look deeper into that.
Hello renaudholcombe. I am looking to deploy this add-on for BroIDS 2.5 as well. You had mentioned it is working well for you with a few minor modifications. I was wondering if you could share any tips in regards to your experience in getting this to work?
Thanks!
Hello @renaudholcombe, I just sent you an email to connect you with two members of the product team. They'd love to chat with you about the add-on.
I too have been using the app for some time and really appreciate it. How can we recommend a change this app? I would like to modify the auto sourcetyping in transforms.conf. Currently ,it does not account for log filename formats with underscore, i.e. smb_files.log. This puts files.log and smb_files.log in same sourcetype. The modbus_register_change.log is mapped to bro_change sourcetype.
Current:
REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9]+)\.log
Recommended Change:
One capture group with entire filename in current Bro/Zeek naming convention format.
REGEX =([a-zA-Z0-9\_]+)\.log
This will make all log filenames sourcetypes with bro_ appended to it.