uid in files logs

Hi everybody,

it would be useful for us to have the conn uids in the logs from file analyzers (pe.log, x509.log,…). I know this information can be gathered by cross-cehcking different bro logs, but it will save some time to have it already in pe.log, etc. I believe this data is available in the record fa_file.conns, available in events in the file framework, so it seems not difficult to add.

Is there any reason why it is not added by default?



While I have no idea why it’s not default, I’ll share a piece of code to achieve something similar, so you can adopt it to your needs

Here we wanted to kill logging X509 certificates into both files.log and x509.log - and by doing that we saved like 20% of our SIEM intake, globally (!!). Should be easy enough to extend x509.log to include data from conn.log, etc.

@load base/frameworks/files
@load base/files/hash

module X509;

export {
redef record X509::Info += {
fuid: string &log &optional;
md5: string &log &optional;

event file_state_remove(f: fa_file) &priority=40
if ( ! f$info?$x509 )

f$info$x509$fuid = f$info$fuid;
f$info$x509$md5 = f$info$md5;

Hi Michal,

thanks, it seems to me pretty easy to implement and corresponding uids for each file are already stored in the record fa_file.conns.

I believe the only reason not to include these uids in pe.log, x5009.log, etc. is that it is already available elsewhere and in general it is better to avoid duplicates. It is one extra columns, which will take some memory/disk space, etc. Unless there would be a significant performance hit I can’t see.

For us, adding this extra column will just to make our lives a bit easier in everyday work…


Inviato: giovedì 7 novembre 2019 00:46

You could release a package. :stuck_out_tongue: