Phil Hagen
Phil Hagen
Found a situation that appears to prevent tcpflow from properly extracting streams. In some traffic, the IP Length field (`ip.len` in Wireshark/tshark) is zero. WS/ts assumes this is because of...
Upgrade to latest (v1.47) from source https://github.com/jpr5/ngrep
This can be fixed as a one-off with `sudo systemctl restart NetworkManager` but it might be better fixed in the VM by changing `/lib/systemd/system/NetworkManager.service` to reflect `Restart=always`
set `LC_TIME=C` so all (most?) shell time utilities respect formatting. Currently: ``` $ date Mon 15 Mar 2021 03:32:01 PM UTC ``` after setting `LC_TIME=C` in `/etc/locale.conf`: ``` $ date...
Zeek files output in JSON format are not parsed properly. Need to detect JSON and handle appropriately, ideally tagging as such early in the pre-processing phase
PECmd JSON should work now - add to the mix
e.g. `/etc/issue` should reflect EWB URL for FOR509, branding around specific class, etc. likely needs a variable set for the ansible-playbook command that defaults to "public" or something like that....
clear files that have been loaded and not modded in some time: https://pypi.org/project/filebeat-scrubber/
install the LS Google pub/sub input plugin and provide instructions on getting data from GCP. "Option 2" here: https://cloud.google.com/solutions/exporting-stackdriver-logging-elasticsearch#configure_logstash Requires plugin addition: https://www.elastic.co/guide/en/logstash/7.11/plugins-inputs-google_pubsub.html Configuration files will need to include a...
The JSON output mode for `nfdump` should provide a better (faster?) and more streamlined processing pipeline than CSV. Some sample records are below. One potential optimization that would be useful...