Reviewing old logs with new scripts?

nortonperry · July 8, 2015, 11:54am

Hey all,
Apologies if this is not the place to ask this but I’ve got intel feeds working (criticalstack) for the past few days and was wondering if it is possible to interrogate existing logs with the new intel using bro-cut ( I have months worth where there was a clear breach due to network misconfiguration?
I guess it is possible, but would require more a shell based diff or something? I know you can replay packet dumps but it would appear not logs?

Also, haven’t seen this mentioned anywhere - with bro-cut what globbing / regular expression options are there? eg![].

Thanx Pel

Daniel_Thayer · July 8, 2015, 6:13pm

You can see a list of all bro-cut options by running
bro-cut -h

It should work with all ASCII Bro logs that contain the header lines
(lines starting with "#"). If your old logs are compressed then
you will need to do something like this:
zcat conn.log.gz | bro-cut

Topic		Replies	Views
Intel Framework Not Generating Intel Log Zeek	4	133	May 6, 2022
question: "intel.log" not generated Zeek	6	110	May 6, 2022
Bro's software log Zeek	8	56	May 6, 2022
"bro-cut -d \| grep" vs. "grep \| bro-cut -d" Zeek	3	49	May 6, 2022
False positive Zeek	1	47	May 6, 2022

Reviewing old logs with new scripts?

Related Topics