Github user james-sirota commented on the issue:
https://github.com/apache/incubator-metron/pull/556
Just spun up the dashboard. The YAF portion is correct. The YAF sensor
produces flow information from A to B and you produce a table that counts and
orders them. Bro is almost correct. Bro produces HTTP and DNS metadata for
us. So you need to differentiate by protocol. In case of Bro-DNS your
dashboard should say top DNS requests. In case of Bro-HTTP your dashboard
should say top HTTP requests. Snort is an IDS that produces alerts. So your
dashboard should say top number of generated alerts.
One thing that would be useful here is to add a second dashboard for YAF
that would give me a histogram for a connection of my choice. For example,
your top connection is 192.168.66.1->192.168.66.121 | 867. If I could have a
second follow-up dashboard where i could have 4 boxes: sourceIP, destIP,
TimeBinSize, HowFarToReachBack. An example use would be that I would take the
top connection and do the following: SourceIP= 192.168.66.1,
DestIP=192.168.66.121, TimeBinSize=5 mins, HowFarToReachBack=3hours. Then it
draws a histogram of the top connection for me in 5 min increments reaching
back 3 hours.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
