As announced at BroCon, Reservoir Labs will be releasing a few Bro
scripts to the community that we hope you will enjoy!
The first script was released a few minutes ago. It implements the
Producer Consumer Ratio described by Carter Bullard and John Gerth at
This script is located in the following Git repo:
If you have any questions or comments feel free to reach out.
Testing this in dev now....I'll have to tweak my logstash for the new column, but it looks pretty tasty...thank you.
[12:31:45 analysis:~/current$] head pcr.log
#fields ts src pcr summary_interval
#types time addr double interval
1408732163.900788 192.168.1.253 1.0 60.000000
1408732223.903164 192.168.1.6 -1.0 60.000000
[12:32:11 analysis:~/current$] head conn.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents pcr
#types time string addr port addr port enum string interval count count string bool count string count count count count set[string] double
1408732115.010821 CWQXXpe4ylnesmVAi x.x.x.x.x 5353 ff02::fb 5353 udp dns 3.003461 129 0 S0 F 0 D 3 273 0 0 (empty)
Awesome! Thanks for releasing this, Bob.