zui icon indicating copy to clipboard operation
zui copied to clipboard

Published 20 hours ago verified publisher icon brimdata

Windows Network Activity in the query library doesn't work

Open mccanne opened this issue 1 year ago • 1 comments

From Puneet Khandelwal on Brim slack:

Also, I wanted to point out that in BRIM UI, the query for 'windows networking activity' which is: _path matches smb* OR _path=="dce_rpc" does not provide proper results. The wildcard part does not work. I have a pcap which has smb logs as well but this query only shows dce_rpc logs. Can someone provide a response on this as well. Thank You! (edited)

The problem here is we changed the Zed language without updating the default query library. The "matches" keyword no longer exists and is deprecated by "grep". The above query should be

grep(smb*,_path) OR _path=="dce_rpc"

We should take a look at other default queries and make sure they are up to date, and add tests for them.

To Reproduce

Run Brim with a zeek SSL log and click on the Windows Network Activity query.

mccanne avatar Jul 12 '22 14:07 mccanne

I've made a note in #2233 to make sure we remember to fix this and add tests for all the queries at the same time we're moving the lib to Brimcap.

philrz avatar Jul 13 '22 19:07 philrz

This was verified as part of verifying #2233. See https://github.com/brimdata/brim/issues/2233#issuecomment-1230841445.

Thanks @mason-fish!

philrz avatar Aug 29 '22 20:08 philrz