ELSA Google Group

Zeek
#1

Just a quick note for those of you using or interested in ELSA, I
created a Google Group for it at
https://groups.google.com/group/enterprise-log-search-and-archive .
Still feel free to email me directly for help, but I created the group
so that the questions and answers might be visible to others searching
on Google for help.

Thanks,

Martin

#2

Set up Bro (version 2.0-beta-47) and have a couple of questions
regarding the etc/networks.cfg file:

(1) When defining more than 24 local networks in etc/networks.cfg, the
trace-summary script throws the following error message and does not
email the regular connections stats summary:

Traceback (most recent call last):
  File "/usr/local/bro/bin/trace-summary", line 816, in <module>
    LocalNetsIntervals[net] = i
  File "/usr/local/bro/lib/broctl/SubnetTree.py", line 86, in
__setitem__
    def __setitem__(self, *args): return
_SubnetTree.SubnetTree___setitem__(self, *args)
IndexError: cannot insert network
Command exited with non-zero status 1
0:00.04 real, 0.05 user, 0.00 sys, 0K total memory

I tested for different number of local network declarations (all /24)
and 24 seems to reach a limit. When defining 25 or more nets, get the
error message from above. Have been looking at trace-summary and
subnetTree.py but have not yet detected the cause of the problem.

(2) Can you 'aggregate' local networks on the etc/networks.cfg file so
the stats for several defined networks can be reported by trace-summary
as just one network? For example, say I declare the local networks in
networks.cfg as:
1.1.1.0/24 Network A
1.1.2.0/24 Network B
1.1.3.0/24 Network C

Then I want trace-summary to give the aggregated stats for both Networks
A and C, in a single table. Feasible? Tried using same tags for
different networks but did not work.

Wonder if anybody has run into any of these two issues.
Thanks,

Gaspar

#3

IndexError: cannot insert network
Command exited with non-zero status 1

That is odd, no immediate idea why that would happen. Can you file a
bug report with the tracker please, ideally with a networks.cfg
attached that triggers the error along with the trace-summary command
line. Thanks.

(2) Can you 'aggregate' local networks on the etc/networks.cfg file so
the stats for several defined networks can be reported by trace-summary
as just one network?

No, that's not supported currently. The aggregation is done by prefix,
not tag.

(I suppose you can't find a larger network mask that covers what you'd
like to aggregate?)

Robin

#4