NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
ArcSight Connectors Documentation
cancel

SmartConnector for Bro IDS NG File

 
Version history
Revision #:
6 of 6
Last update:
‎07-24-2018 06:17 AM
Updated by:
 
Comments
michaelc

This SmartConnector doesn't seem to map the "host" field from the Bro HTTP log.

This matches the documentation, which doesn't list that field in the "Bro IDS HTTP Log Mappings" section, but it seems like a pretty glaring omission.

The "uri" field is mapped to "Request URL," but that contains only the relative URI and does not include the host name.

larry.schrader

It appears the RequestUrl field is not being populated correctly.  The requestProtocol, requestUrlAuthority,requestUrlHost, requestUrlPort, requestUrlFilename, and requestUrlQuery are all populated from a correctly formatted requestUrl: <protocol>://<authority>@<host>:<port>/<filename>?<query>. (per ArcSight dcumentation).

sadingrid

I have brought this to the attention of the connector development group and this will be addressed in a future sprint.

sadingrid

This will be addressed by connector development in a future SmartConnector release; I do not currently have a solid date.

larry.schrader

Ingrid;

The new connector does a much better job on the requestUrl and now populating the other request fields. Thanks.

However, the problem of the connector not being able to follow the folder when Bro periodically creates new ones is still present.

Larry

wsladek1

While I see the request fields are now populating with data, the Request URL field does not appear to be parsing correctly.  It is duplicating some of the URL and in some cases, it leaves the "-" (found in bro's logs for blank fields).  Examples:

"http://isc.sans.edu:80/reports.html?isc.sans.edu:80/reports.html"

"http://noscript.net:80/-?noscript.net:80/-"

"http://rules.emergingthreats.net:80/blockrules/compromised-ips.txt?rules.emergingthreats.net:80/blockrules/compromised-ips.txt"

Larry, are you seeing this as well?


larry.schrader

Yes, I'm seeing the same occurrences. I can empathize though having gone through the effort of creating a flex connector for Bro. Bro has done some good things by breaking out the various parts of a URL but in this case it would be better to have it complete vice parsed. As to the hyphens in the data, they are both a benefit and a nuisance. While it is good to know sometimes that there was nothing in a specific column, it raises havoc when you try to tell the flex connector a certain column is an IP address and then a "-" shows up.....

While it is always good to have accuracy in data (requestUrl in this case), I will settle for all the necessary data being present vice exactly correct.

With the new connector version, I am more concerned with not being able to have the connector continue to follow the Bro log folder after it rotates the logs. I am currently having to re-start the connector on an hourly basis (the same interval Bro creates new log files) in order for the connector to continue finding the log files. I don't understand why this is an issue since the Multi-Folder Flex connector I created followed the folders fine. So the mechanism to do this must exist in the connector bag of goodies. I just need to know the magic configuration to make it work.

mark.ulmer@hpe.1

Documentation update request:

pg. 7 - List of Selected Log Types has 2 misspellings:  Please update:

  • 'tinnel' should be 'tunnel'
  • 'w. should be 'weird.'
sadingrid

Thanks for your comment.  We've made the corrections and you'll see them in the guide with our Q1R2 release the end of March.

Internetkid

Are there any new updates on this connector?

sadingrid

As of February 2016 release, Bro IDS Host Name has been added as an installation parameter, and no longer has to be configured separately.