Jason Ish

Yes, so this is planned, at least mentally. Right now we just use the DNS info that Suricata was able to pull off the wire, but this is often not...

Did you use the RPM? Curious cause the Docker directory is showing up in the logs. Sorry. That's probably coming from the build environment. Oops. Will look.

Actually can you provide more information on how you installed EveBox, or how you have it configured? The error reporting is bad here, but it looks like its failing either...

I'm not that familiar with Elastic Search deployment options. I had thought that if you send the query to one machine in the cluster, it would sort out the optimal...

Belated thanks for the contribution. Its been on my mind for a while. While I generally like the idea of a more standardized schema, we can't take this change in...

Unfortunately don't think this is very feasable. The lookup of this info, when generating the inbox page for example would kill performance - assuming we're using the DNS log records...

Its the number of events that match that (source ip, dest ip, event id). The timestamp shown is for the most recent one.

I just looked at `rulecat` with the ET/Open ruleset and it did use about 500MB. Not ideal, but it does load, parse and sort all the rules in memory. But...

There is a command line option, `--test-command` that you can then provide a command to run the test. Something like `--test-command "suricata -T"` might work if using all the defaults....

Is app stats a unified2 formatted file? Can you provide me with a sample? On Wed, May 30, 2018 at 17:08 AAyyy wrote: > when i use idstoos to convert...