Re: [DISCUSS] Pcap UI user requirements

2018-05-09 Thread zeo...@gmail.com
Regarding the prioritization, that is what I was thinking as well, I just wasn't as prescriptive with my suggestion. I did look for a java implementation and failed to find one (the closest I found was the Apache-licened bcc project ). Perhaps someone else's

Re: [DISCUSS] Pcap UI user requirements

2018-05-09 Thread Casey Stella
A couple of thoughts on cluster overuse: * Definitely can't pause/resume MR jobs, unfortunately * The traditional approach to managing overuse of cluster resources and prioritization in Yarn is via the scheduler. I'd suggest rather than building this ourselves, we allow users to be associated

Re: [DISCUSS] Pcap UI user requirements

2018-05-09 Thread zeo...@gmail.com
I had a feeling it may be that way. Unless anyone else knows of a better approach, it's probably most reasonable to push that into a follow-on JIRA and not over-complicate the current activities. Jon On Wed, May 9, 2018 at 2:33 PM Michael Miklavcic < michael.miklav...@gmail.com> wrote: > We

Re: [DISCUSS] Pcap UI user requirements

2018-05-09 Thread Michael Miklavcic
We are limited by Yarn and MapReduce applications in the case of pause/resume - I could be wrong, but I don't think that's something that's supported unless you're talking about multiple MR jobs strung together.

Re: [DISCUSS] Pcap UI user requirements

2018-05-07 Thread zeo...@gmail.com
>From my perspective PCAP is primarily used as a follow-on to an alert or meta-alert - people very rarely use PCAP for initial hunting. I know this has been brought up by Otto, Mike, and Ryan across the two related threads and I think it's all spot on. Going from an alert or meta-alert to

Re: [DISCUSS] Pcap UI user requirements

2018-05-04 Thread Otto Fowler
That is the ‘views’ part. We can have options on the data output, if you have output full data, then we can have different views and interactions for inspection and level of detail. On May 4, 2018 at 09:37:13, Michel Sumbul (michelsum...@gmail.com) wrote: It can be like a report but also to

Re: [DISCUSS] Pcap UI user requirements

2018-05-04 Thread Michel Sumbul
It can be like a report but also to investigate some case where the user want to see the whole packet (all the bits and bytes). Like in wireshark, something interactive no? 2018-05-04 14:33 GMT+01:00 Otto Fowler : > The PCAP Query seems more like PCAP Report to me. You

Re: [DISCUSS] Pcap UI user requirements

2018-05-04 Thread Otto Fowler
The PCAP Query seems more like PCAP Report to me. You are generating a report based on parameters. That report is something that takes some time and external process to generate… ie you have to wait for it. I can almost imagine a flow where you: * Are in the AlertUI * Ask to generate a PCAP

Re: [DISCUSS] Pcap UI user requirements

2018-05-04 Thread Michel Sumbul
What about the possibility for the user to specify on which folder/file the job should run? in other to reduce the amount of data to process? 2018-05-04 14:19 GMT+01:00 Ryan Merriman : > Continuing a discussion that started in a discuss thread about exposing > Pcap query

[DISCUSS] Pcap UI user requirements

2018-05-04 Thread Ryan Merriman
Continuing a discussion that started in a discuss thread about exposing Pcap query capabilities in the back end. How should we expose this feature to users? Should it be integrated into the Alerts UI or be separate standalone UI? To summarize the general points made in the other thread: -