You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/08/10 08:49:00 UTC

[jira] [Commented] (METRON-854) Create DHCPDump Parser

    [ https://issues.apache.org/jira/browse/METRON-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121278#comment-16121278 ] 

ASF GitHub Bot commented on METRON-854:
---------------------------------------

Github user basvdl commented on the issue:

    https://github.com/apache/metron/pull/531
  
    @simonellistonball after some testing we concluded that Bro is not giving the output we want (source: https://bro-tracker.atlassian.net/browse/BIT-1630). The output doesn't contain hostnames, so the relation IP / Hostname can't be made. I still agree on modifying the source, DHCPDump, is not the preferred way to go. Can you assist in how to ship and parse multi-line log events, so I can adjust the parser accordingly without messing with the source?
    
    Thanks


> Create DHCPDump Parser
> ----------------------
>
>                 Key: METRON-854
>                 URL: https://issues.apache.org/jira/browse/METRON-854
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Bas van de Lustgraaf
>            Priority: Minor
>              Labels: parser
>
> Create a DHCPDump parser. This information can be used during enrichment to link ip-addresses to hostnames.
> {noformat}
> TIME: 2017-01-16 16:54:21.655|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR: 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR: fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION:  53   1 DHCP message type: 8 |DHCPINFORM|OPTION:  61   7 Client-identifier: 01:fc:f8:ae:e8:ef:db|OPTION:  12   5 Host name: Q1244|OPTION:  60   8 Vendor class identifier: MSFT 5.0|OPTION:  55  13 Parameter Request List:   1 (Subnet mask)|| 15 (Domainname)||  3 (Routers)||  6 (DNS server)|| 44 (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 (Perform router discovery)|| 33 (Static route)||121 (Classless Static Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT - WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.11 | b8:ca:3a:67:95:8a > 0:50:56:84:68:43
> TIME: 2017-01-16 17:13:14.548|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR: 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR: fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION:  53   1 DHCP message type: 8 |DHCPINFORM|OPTION:  61   7 Client-identifier: 01:fc:f8:ae:e8:ef:db|OPTION:  12   5 Host name: Q1244|OPTION:  60   8 Vendor class identifier: MSFT 5.0|OPTION:  55  13 Parameter Request List:   1 (Subnet mask)|| 15 (Domainname)||  3 (Routers)||  6 (DNS server)|| 44 (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 (Perform router discovery)|| 33 (Static route)||121 (Classless Static Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT - WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.10 | b8:ca:3a:67:95:8a > 0:50:56:b9:28:ac
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)