#634: CouchDB writer
-------------------------+-----------------------------
Reporter: jeff.baumes | Type: Feature Request
Status: new | Priority: Normal
Milestone: | Component: Bro
Version: | Keywords:
-------------------------+-----------------------------
Attached is a git patch for logging information to CouchDB. It has a new
dependence on libcurl which it searches for with a find_package CMake
command, and JsonCpp (MIT license), whose code is included directly in the
source tree.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/634>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#850: topic/seth/elasticsearch
---------------------------+------------------------
Reporter: seth | Owner:
Type: Merge Request | Status: new
Priority: Normal | Milestone: Bro2.1
Component: Bro | Version: git/master
Keywords: |
---------------------------+------------------------
This should be ready for merging as long as it's labelled as "in testing"
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/850>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
Hi all,
Currently, SMTP entities will calculate MD5 hashes for the following
filetypes by default: application/x-dosexec, application/x-executable. I
was a little surprised that common e-mail attack vectors like zip and PDF
files don't have this hash calculated by default. I propose extending the
default to also include application/zip and application/pdf. I think this
is good default functionality, that won't cause a noticeable performance
hit.
Thoughts? Any other filetypes that would be useful to add there, while
we're at it?
--Vlad
On Jul 20, 2012, at 12:29 PM, Robin Sommer wrote:
> I've only tested that it compiles, not whether it still works. The
> fact that we don't have any tests for this makes me uneasy ...
I'll see if I can add a couple of tests. I suppose I can use nc to open a port to make sure that I get the correct data for a trace files being sent to elastic search. Definitely not the best approach, but it would be a bit more difficult to mock up with the full elastic search server.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
On Jul 20, 2012, at 12:29 PM, Robin Sommer wrote:
> Temporarily removing tuning/logs-to-elasticsearch.bro from the
> test-all-policy.
>
> Loading it in there can lead to some tests not terminating. We need to
> fix that, it let's the coverage test fail.
I'll play with it.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
This branch has all my recent threading changes, as well as all the
pending merge requests / fastpath commits. My plan is for this to
become master asap, but it's not quite there yet:
- I need to do more testing. Tried only Fedora Linux so far (and
don't know yet if the earlier Mac problem is still there).
- scripts.base.frameworks.logging.rotate fails sporadically by
leaving out one rotation it seems.
- When I add tuning/logs-to-elasticsearch.bro to test-all-policy,
some tests hang.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
