1 large data-set of network traffic to be investigated (JSON)
1 tls-fingerprinting data-set or 1 'bad/blocked' IP data-set or ....
Use case;
When both the network traffic and fingerprint/ip data-sets are in Elasticsearch, how is it possible to correlate the values from both sources? Like some sort of translation, where the network-data gets matched with a fingerprinting data-set.
I would like to add a row to each event in the large data-set of network traffic, saying like 'Bad IP: Yes/No', so that I can create timelines or other visualizations only on data containing 'bad ip's'. Or matching specific values like a TLS fingerprint, adding an application name row to a network event based on a fingerprinting database.
Thanks for your fast reply! I wanted to know for sure that this option isn't in the Elastic-stick, before I start to look at other solutions.
I'm using bro to process the pcap's and create the json files. I think I either need to write some sort of python script or see if I can modify bro to create some extra output I want (something like what's described here: https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/). I think the best option would be to add specific fields to the JSON events created with bro. Hmm interesting
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
