98% of all entries in our files.log are null values. Is this to be expected?
What analyzers are the files coming from?
.Seth
According to splunk/files.log, these list “pe_xor, md5, sha1,sha256” in the analyzer section. Its actually a lot more than that, and slight variations. Generally speaking, almost every entry is a variant of that 4 analyzers. Could this be an issue with the pe_xor module? Moreover, files that we have filenames for (f.txt from google for instance) have the same analyzers running as well.
As an aside, even after disabling pe_xor (out of curiosity), we are still not seeing the filenames. Out of 74,000 file.log entries, only 620 have filenames. Of those, 99.52% of them are f.txt filenames (from google)…
Sorry, last post. Found http://mailman.icsi.berkeley.edu/pipermail/bro/2014-April/006893.html. This is inline with what I was discovering from my files.log. I will see if I can expand the framework to do correlation to get this info.
Ohh... I see now. You didn't specify that it was the filename field that was null. Unfortunately I think that the current behavior is best as the default behavior. I suspect that at some point we'll see a package show up in the Bro package manager which adds some heuristically driven filenames (i.e. pulling "filenames" from URLs).
.Seth