[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user basvdl commented on the issue: https://github.com/apache/metron/pull/531 @simonellistonball after some testing we concluded that Bro is not giving the output we want (source: https://bro-tracker.atlassian.net/browse/BIT-1630). The output doesn't contain hostnames, so the relation IP / Hostname can't be made. I still agree on modifying the source, DHCPDump, is not the preferred way to go. Can you assist in how to ship and parse multi-line log events, so I can adjust the parser accordingly without messing with the source? Thanks --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user simonellistonball commented on the issue: https://github.com/apache/metron/pull/531 I'd love to see your bro PR expand for this @JonZeolla DHCP is a pretty key source, and Bro is a great way to extract it from taps. Let me know if there is anything I can do to help. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/531 Is there enough interest for me to pursue support of this in #586? I could probably throw that together today. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user basvdl commented on the issue: https://github.com/apache/metron/pull/531 @nickwallen sometimes we are not able to grep DNS events from the customer server. In these cases we use DHCPDump. I've to admit, Bro is new to me, but it looks promising. If this can fulfill our requirement, It would be a good replacement since it can also grep other protocols as well. @JonZeolla lookups are also not always an option for us. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user ctramnitz commented on the issue: https://github.com/apache/metron/pull/531 dhcp also carries a client-id that is often (but not always and not reliably) the hostname. While not reliable, this is intersting information, especially since you don't have to perform (expensive) DNS lookups, but can consume whats on the wire or a dhcp server reports. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/531 With bro there's also an option to [do a lookup](https://github.com/bro/bro/blob/master/src/bro.bif#L3431-L3458) and [add it](https://www.bro.org/sphinx-git/frameworks/logging.html#add-fields-to-a-log) into the DHCP log, although we shouldn't exist that will exist by default. That would also require a DNS lookup for each DHCP handshake. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user nickwallen commented on the issue: https://github.com/apache/metron/pull/531 > If i'm correctly informed by the docs, bro will give you the IP and MAC relation, which differs from DHCPDump which captures IP and Hostname relations. Giving context to an IP by adding the Hostname looks more promising... I am a little confused by what you are looking for though. But maybe I am just misunderstanding and need more coffee. The purpose of DHCP is to hand out an IP that typically gets associated with a MAC address. That's the pairing I would be interested in from DHCP. [Bro can help with this.](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html) If you are looking for IP to hostname, then I would think you would be interested in DNS. [Bro can also help with this.](https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user nickwallen commented on the issue: https://github.com/apache/metron/pull/531 > So I would still like to discuss the opportunities of getting the original DHCPDump log format into Metron via NiFi. Sure, I think that sounds like another reasonable approach. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user basvdl commented on the issue: https://github.com/apache/metron/pull/531 @nickwallen I agree that relying on a modified source is not ideal. However with bro I'm not sure if you have all the functionality people wish for. If i'm correctly informed by the docs, bro will give you the IP and MAC relation, which differs from DHCPDump which captures IP and Hostname relations. Giving context to an IP by adding the Hostname looks more promising... So I would still like to discuss the opportunities of getting the original DHCPDump log format into Metron via NiFi. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user nickwallen commented on the issue: https://github.com/apache/metron/pull/531 I am a -1 on merging this PR. It relies on a forked version of the original sensor which limits its general usefulness. I have concerns about maintaining and supporting that fork long-term. I think there are other more attractive ways to go about this. I would prefer to support both (1) parsing of server-side DHCP logs or (2) using Bro to sniff out the DHCP records. I believe this agrees with the point that @JonZeolla was making earlier in this thread. I could be convinced otherwise if others would like to offer counterpoints to the issues I have described. I do hope to see many more contributions from @basvdl . I think PRs, even ones that don't make master, are useful for the community to help define the direction of Metron. I have had my own contributions not make the cut before. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #531: METRON-854 create dhcp dump parser
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/531 @JonZeolla does this relate to your latest PR (#586)? What is the status of this pr? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
