I've been using the Bro add-on and it's been working well, but there are a couple serious problems that I've run into while using it:
I ended up with thousands of sourcetypes for "too-small" each prefixed with the MD5 hash of the pcap file (seems to be a problem with the PREFIX_SOURCETYPE settings in props.conf combined with the use of the MD5 hash of the pcap file in the log filename) that overloaded the parsing engine.
This might have to be something that needs tuning on the pcap capture side, but at least once a day there will be a failure to read the pcap file (possibly due to the file being rolled over before processing can occur) and this will completely crash the part of the plugin that invokes bro (pcap_monitor.py) that requires either a full restart of splunk or enabling/disabling the plugin to bring it back up.
I dug around in the source code for the add-on and the fixes for both seem pretty straightforward and I was wondering what if any procedure there would be for me to contribute those to you (since it's Splunk-built) for inclusion in a new release of the add-on. I'm also looking into making any modifications necessary to support bro 2.5.x (so far, it's been working well with a modification or two).
Thanks!
... View more