All Apps and Add-ons

[Splunk Add-on for Bro IDS] When will the current Known Issues be addressed?

mikaelbje
Motivator

There haven't been any updates to the Splunk Add-on for BRO IDS since March 31 2015 and the list of known issues is giving me a few challenges.

I'm specifically interested in seeing these fixed:

Publication date Defect number Description

03/30/14 ADDON-3517 Fix event types and tags, make compliant

10/27/14 ADDON-2207 Several properties configured to extract bytes fields, which is not the correct method to do conditional field aliasing.

10/27/14 ADDON-2206 bro_action_lookup is not functioning.

04/24/14 ADDON-1379 Bro logs contain a field named 'host' that conflict with the Splunk's host field.

All of the above Known Issues are from 2014.

When can we expect an update?

Mikael

0 Karma
1 Solution

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

Thank you for following up. We are working on releasing an update for the Splunk Add-on for Bro which includes fixes to the ones you have highlighted and others.
ADDON-2206 will not be fixed because a single event cannot have both conn_state & status fields to do the lookup. Events of sourcetype "bro_conn" have "conn_state" field, and sourcetype "bro_http" & "bro_ssh" events have "status" field. As a result, the "action" field that is outputted by both lookups will not conflict.

Let us know if you have any questions.

View solution in original post

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

Thank you for following up. We are working on releasing an update for the Splunk Add-on for Bro which includes fixes to the ones you have highlighted and others.
ADDON-2206 will not be fixed because a single event cannot have both conn_state & status fields to do the lookup. Events of sourcetype "bro_conn" have "conn_state" field, and sourcetype "bro_http" & "bro_ssh" events have "status" field. As a result, the "action" field that is outputted by both lookups will not conflict.

Let us know if you have any questions.

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

Hi Mikael, version 3.2.0 is now out with corrections to all of these issues (as Elias notes, ADDON-2206 was closed invalid).

http://docs.splunk.com/Documentation/AddOns/latest/BroIDS/Releasenotes

0 Karma

mikaelbje
Motivator

Thanks. 3.2.0 is looking better!

0 Karma

mikaelbje
Motivator

An update after about two weeks of use:

  1. Enterprise Security shows data from several of the bro_* sourcetypes
  2. SSL Activity in Enterprise Security not showing anything, even though we have bro_ssl data coming in. Should the bro_ssl sourcetype provide enough data to populate the SSL Activity dashboard? What other means do we have to get SSL sessions? Stream?
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.