ELSA Google Group

Martin_Holste · December 1, 2011, 4:22am

Just a quick note for those of you using or interested in ELSA, I
created a Google Group for it at
https://groups.google.com/group/enterprise-log-search-and-archive .
Still feel free to email me directly for help, but I created the group
so that the questions and answers might be visible to others searching
on Google for help.

Thanks,

Martin

Gaspar_Modelo-Howard · December 4, 2011, 7:49pm

Set up Bro (version 2.0-beta-47) and have a couple of questions
regarding the etc/networks.cfg file:

(1) When defining more than 24 local networks in etc/networks.cfg, the
trace-summary script throws the following error message and does not
email the regular connections stats summary:

Traceback (most recent call last):
  File "/usr/local/bro/bin/trace-summary", line 816, in <module>
    LocalNetsIntervals[net] = i
  File "/usr/local/bro/lib/broctl/SubnetTree.py", line 86, in
__setitem__
    def __setitem__(self, *args): return
_SubnetTree.SubnetTree___setitem__(self, *args)
IndexError: cannot insert network
Command exited with non-zero status 1
0:00.04 real, 0.05 user, 0.00 sys, 0K total memory

I tested for different number of local network declarations (all /24)
and 24 seems to reach a limit. When defining 25 or more nets, get the
error message from above. Have been looking at trace-summary and
subnetTree.py but have not yet detected the cause of the problem.

(2) Can you 'aggregate' local networks on the etc/networks.cfg file so
the stats for several defined networks can be reported by trace-summary
as just one network? For example, say I declare the local networks in
networks.cfg as:
1.1.1.0/24 Network A
1.1.2.0/24 Network B
1.1.3.0/24 Network C

Then I want trace-summary to give the aggregated stats for both Networks
A and C, in a single table. Feasible? Tried using same tags for
different networks but did not work.

Wonder if anybody has run into any of these two issues.
Thanks,

Gaspar

robin · December 5, 2011, 5:14pm

IndexError: cannot insert network
Command exited with non-zero status 1

That is odd, no immediate idea why that would happen. Can you file a
bug report with the tracker please, ideally with a networks.cfg
attached that triggers the error along with the trace-summary command
line. Thanks.

(2) Can you 'aggregate' local networks on the etc/networks.cfg file so
the stats for several defined networks can be reported by trace-summary
as just one network?

No, that's not supported currently. The aggregation is done by prefix,
not tag.

(I suppose you can't find a larger network mask that covers what you'd
like to aggregate?)

Robin

Topic		Replies	Views
Errors in Connection summary Zeek	3	101	May 6, 2022
script working from cmd line but not from local.bro Zeek	6	93	May 6, 2022
Frontend Zeek	8	165	May 6, 2022
On Bro's configuration file Zeek	1	147	May 6, 2022
Enterprise Log Search and Archive (ELSA) Beta Available Zeek	2	106	May 6, 2022

ELSA Google Group

Related topics