Re: [VOTE] Move Apache Metron to the Apache Attic and Dissolve PMC

+1 -- Jon Zeolla @jonzeolla PittSec | BSidesPGH | SteelCityInfoSec On Mon, Nov 16, 2020, 11:33 AM Casey Stella wrote: > +1 > > On Mon, Nov 16, 2020 at 09:01 Justin Leet wrote: > > > Hi all, > > > > This is a vote thread to retire Metron to the Attic, and dissolve the > PMC. > > This follows a

Re: [DISCUSS] Retire Metron to the Attic

I also agree with a move to the attic. +1 to Otto's comment about forking the kafka plugin. -- Jon Zeolla @jonzeolla PittSec | BsidesPGH | SteelCityInfoSec On Mon, Nov 9, 2020 at 1:30 PM Otto Fowler wrote: > I am in support of this as well, > > We have substantial work to do to get metron o

Re: Any relation to Spot?

Nope, different projects with similar goals. Metron came from Cisco OpenSOC and Spot came from ONI. Jon Zeolla On Thu, Apr 9, 2020, 5:57 PM Yerex, Tom wrote: > Good afternoon, > > I hope everyone is safe and healthy. I tripped across the Apache Spot > project while working through some documen

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC3

+1 ran the RC script, spun up end to end successfully, manual validation, etc. - Jon Zeolla zeo...@gmail.com On Thu, Oct 10, 2019 at 3:10 PM Otto Fowler wrote: > +1 binding Ran RC script including the docker end to end testing > > > > > On October 10, 2019 at 14:38:45, Otto

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC2

-1’s (binding) > > > > A new RC will be created once we're satisfied the latest fix has resolved > > issues. > > > > On Tue, Oct 1, 2019, 2:47 PM zeo...@gmail.com wrote: > > > >> -1 as well, validated the issue that Otto was seeing. > >> >

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC2

-1 as well, validated the issue that Otto was seeing. I'm also testing to ensure that the fix properly addressed the issue and will respond if I see any issues that would block a fast follow RC3. - Jon Zeolla zeo...@gmail.com On Tue, Oct 1, 2019 at 3:27 PM Otto Fowler wrote: > The

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC1

ve it up to the > community if everyone would rather live with the possibility that there's a > delay post vote or if we'd rather start next week. > > On Sun, Sep 29, 2019 at 12:47 PM zeo...@gmail.com > wrote: > > > Justin Leet was running this release previousl

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC1

Justin Leet was running this release previously Jon Zeolla On Sun, Sep 29, 2019, 12:07 PM Otto Fowler wrote: > If you are doing the RM duties, just go a head and cut the RC. > > > > > On September 29, 2019 at 11:35:10, zeo...@gmail.com (zeo...@gmail.com) > wrote: > >

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC1

resolved. > > On Wed, Nov 28, 2018 at 10:49 AM zeo...@gmail.com > wrote: > > > -1 > > > > In my testing it appears that an issue was introduced in 0.2 which is > > causing a segfault on the destructor ( > > > > > https://github.com/apache/metron-b

Re: [DISCUSS] HDP 3.1 Upgrade and release strategy

I agree that having a scripted approach for backup and restore of Metron configs should be necessary for such a large change/upgrade process. Having been through this many times in the past I can tell you that the difficulty of upgrading (whether perceived or actual) holds back adoption of the plat

Re: What's the status of Metron

I just sent an invite for the ASF slack. Check out #Metron once you're in there. There are some various network diagrams but nothing that I would consider holistic. Here are some pointers (in order) https://cwiki.apache.org/confluence/display/METRON/Metron+Architecture https://github.com/apach

Re: [VOTE] Update dev guidelines with format for sharing architecture source files and rendered images

+1 non-binding I would only prefer that we change "Appropriate architecture diagrams should be created in" to "Appropriate architecture diagrams must be created in" but I'm good either way. - Jon Zeolla zeo...@gmail.com On Fri, May 3, 2019 at 10:18 AM Michael M

Re: [DISCUSS] Next Release

Any chance we could do a quick cleanup of METRON-1795? Seems like it should be assigned to Jagdeep Singh (jagdeep.sing...@team.telstra.com), but I couldn't find that account in the assignee field. - Jon Zeolla zeo...@gmail.com On Thu, Apr 25, 2019 at 12:33 PM Michael Miklavcic < michae

Re: [DISCUSS] Next Release

. When that happens, are we okay with sharing version numbers? - Jon Zeolla zeo...@gmail.com On Tue, Apr 23, 2019 at 1:42 PM Justin Leet wrote: > Absolutely. It'll probably be tomorrow before that gets into full swing. > > I don't believe we have a "0.7.1" release

Re: [DISCUSS] Format for sharing architecture source files and rendered images

I'm also partial to draw.io. Jon Zeolla On Wed, Apr 17, 2019, 9:48 PM Otto Fowler wrote: > Also, the section should either have a blurb and like for draw.io or a > reference footnote etc. > > > On April 17, 2019 at 21:36:03, Otto Fowler (ottobackwa...@gmail.com) > wrote: > > I think we should t

Re: Problems with Dev deployment.

with you. - Jon Zeolla zeo...@gmail.com On Wed, Apr 10, 2019 at 9:17 AM Otto Fowler wrote: > These issues are the reason https://github.com/apache/metron/pull/1261 was > done. It would be nice if we could get by them. > > > On April 10, 2019 at 08:13:04, Dale Richardson (ti

Re: [DISCUSS] Next Release

to take this on? Would be nice to get a release > > out. > > > > On Thu, Mar 14, 2019, 4:53 PM zeo...@gmail.com wrote: > > > > > We should likely get METRON-2014 in, based on > > > > > > > > > https://lists.apache.org/thread.html/13bd0ed5

Re: [DISCUSS] Next Release

We should likely get METRON-2014 in, based on https://lists.apache.org/thread.html/13bd0ed5606ad4f3427f24a8e759d6bcb61ace76d4afcc9f48310a00@%3Cdev.metron.apache.org%3E On Thu, Mar 14, 2019 at 4:24 PM Michael Miklavcic < michael.miklav...@gmail.com> wrote: > Ticket is now done and merged. I'm also

Re: [DISCUSS] Central Navigation for Alerts and Management UI

I use both screens frequently on prod clusters. I don't know how prevalent that use case is though. Jon On Mon, Mar 11, 2019 at 7:33 AM Shane Ardell wrote: > Good point, Otto. Just posted there now. > > On Mon, Mar 11, 2019 at 12:11 PM Otto Fowler > wrote: > > > Maybe you should post to the u

Re: [DISCUSS] Upgrading HBase and Kafka support

So most importantly I want to make sure to give Otto credit for being the one who cleaned up the rudimentary testing steps we had for testing the plugin and turned it into the docker end to end. Right now we manually run the tests, as there were a few follow-ons we needed to work through before it

Re: [DISCUSS] Upgrading HBase and Kafka support

+1 to option 3 on both. Also strongly in favor of Docker. We recently took a similar approach in metron-bro-plugin-kafka as well (link ) to do end to end testing. Jon On Fri, Mar 8, 2019 at 9:53 AM Nick Allen wrote: > +1 fo

Re: [DISCUSS] Architecture documentation

Sorry for the delay here. Yup I'm good with where this ended up, thanks! Jon On Tue, Feb 26, 2019 at 10:21 AM Michael Miklavcic < michael.miklav...@gmail.com> wrote: > @Jon - I think this DISCUSS thread is the last gating factor for getting > this PR in, are you ok with the prescribed approach

Re: [DISCUSS] Architecture documentation

etc.)? > > If someone thinks the code base needs X before the next release, then they > can bring up X during the release discussion. We don't need additional > procedure around this. > > On Mon, Feb 25, 2019 at 9:11 AM zeo...@gmail.com wrote: > > > I agree

Re: [DISCUSS] Architecture documentation

I agree, I think all docs should be kept in the code base. I opened METRON-714 ages ago to get the existing cwiki docs over to READMEs as well. I would also like to see us consider a more general/overview architecture, or perhaps write each component's architecture in a way that it can be compose

Metron REST w/o LDAP

Is it intended that we require METRON_LDAP_PASSWORD when LDAP isn't in use to start metron-rest? ``` [metroniso@server ~]$ export METRON_LDAP_PASSWORD=anything [metroniso@server ~]$ /usr/metron/0.7.0/bin/metron-rest.sh [metroniso@server ~]$ tail -f /var/log/metron/metron-rest.log # No error ``` `

Re: [DISCUSS] Writer class refactor

Totally on board with everybody's comments above this point. Jon On Fri, Jan 18, 2019, 6:07 PM Michael Miklavcic wrote: > Thanks for the write up, Ryan. I had to touch on some of this when > refactoring the kafka writer away from the async model so we could > guarantee delivery. We had potentia

[DISCUSS] Clarify development guidelines

I was looking at picking up a JIRA which could apply to both apache/metron and apache/metron-bro-plugin-kafka (upgrade to bro 2.6.1/latest). It made me take another look at our dev guidelines to see if they are explicit about having one JIRA per PR (it doesn't). Is this something we should do? M

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

pport for getting a RC out sooner rather than later. > > On Tue, Dec 4, 2018 at 4:06 PM zeo...@gmail.com wrote: > > > I agree that we should move forward with the apache/metron 0.7.0 release. > > If 0.3 gets finalized in time we can include it, but otherwise no big > deal &

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

core > >> release (or we choose not to fix it, given the current version is > >> affected), I'm happy to put out a new RC. > >> > >> On Mon, Dec 3, 2018 at 4:12 PM Michael Miklavcic < > >> michael.miklav...@gmail.com> wrote: > >

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

TRON-1810> > > METRON-1814 <https://issues.apache.org/jira/browse/METRON-1814> > > METRON-1851 <https://issues.apache.org/jira/browse/METRON-1851> > > > > On Wed, Nov 21, 2018 at 2:20 PM zeo...@gmail.com > wrote: > > > > > A metron-bro-plugin

Re: [VOTE] Metron-bro-plugin-kafka Release Candidate 0.3.0-RC1

-1 In my testing it appears that an issue was introduced in 0.2 which is causing a segfault on the destructor ( https://github.com/apache/metron-bro-plugin-kafka/commit/1dfc5239fae31a64026188109d1e346ce93d5c02#diff-361be0491d615952129ed5c8f39c9683L57). I've opened METRON-1910 and am testing a fix

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

gt; > > METRON-1741 Move REPL Port of Profiler to Separate Project > > > (nickwallen) > > > > closes apache/metron#1170 > > > > METRON-1715 Create DEB Packaging for Batch Profiler (nickwallen) > > > closes > > > > apache/metron#116

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

che/metron#1163 > > > METRON-1708 Run the Batch Profiler in Spark (nickwallen) closes > > > apache/metron#1161 > > > METRON-1707 Port Profiler to Spark (nickwallen) closes > > > apache/metron#1150 > > > METRON-1705 Create ProfilePeriod Using Pe

Re: [ANNOUNCE] Shane Ardell is a committer

Congrats Shane! Jon On Mon, Nov 19, 2018 at 10:43 AM Anand Subramanian < asubraman...@hortonworks.com> wrote: > Many congratulations, Shane! > > Cheers, > Anand > > On 11/19/18, 8:36 PM, "James Sirota" wrote: > > > The Project Management Committee (PMC) for Apache Metron has invited > Shan

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

> * Once PR is in, start metron release process (hopefully) sometime the week > of the 3rd? > > Are there any objections to staggering the releases like that? They could > also be done together, but it means that we have to update full dev to > match the plugin version post release

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

In my opinion metron-bro-plugin-kafka is ready for a release. Anything else people would want to see? Once it gets released, I would like to update full dev to use the newest version prior to any future metron release (0.6.1 or whatever we choose). Jon On Wed, Nov 7, 2018 at 8:07 PM zeo

Re: [DISCUSS] Slack Channel Use

Spot on Justin, I totally agree. My only nit is that often it's much easier troubleshooting in Slack as opposed to the mailing lists, so I'm game to allow some troubleshooting in Slack as long as the issue and resolution makes it back to the lists. Given that slack message history is being kept (

Re: [DISCUSS] Knox SSO feature branch review and features

Phew, that was quite the thread to catch up on. I agree that this should be optional/pluggable to start, and I'm interested to hear the issues as they relate to upgrading an existing cluster (given the suggested approach) and exposing both legacy and knox URLs at the same time. Jon On Fri, Nov 9

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

So, about this release, anybody have time to review apache/metron-bro-plugin-kafka#2 and apache/metron-bro-plugin-kafka#13? Jon On Wed, Oct 17, 2018 at 10:37 AM Michael Miklavcic < michael.miklav...@gmail.com> wrote: > And I do think we will be ready to roll another Metron release in the near >

Re: [DISCUSS] Deprecate split-join enrichment topology in favor of unified enrichment topology

+1 totally agree. Jon On Fri, Nov 2, 2018, 1:31 AM Anand Subramanian wrote: > Piling on my +1 (non-binding) as well. > > On 11/2/18, 4:41 AM, "Ryan Merriman" wrote: > > +1 > > On Thu, Nov 1, 2018 at 5:38 PM Casey Stella > wrote: > > > +1 > > On Thu, Nov 1, 2018 at 18:34 Nick

Re: [DISCUSS] Day 1 User Experience - Getting Metron Running

Yeah I would +1 katakoda. I also think that it would help to start distributing RPMs, DEBs, and the mpacks with the releases, as well as consider a service like opensuse's build service for nightlies, etc. Jon On Fri, Oct 26, 2018 at 6:25 AM Anand Subramanian < asubraman...@hortonworks.com> wrot

Re: Invite to Slack Channel

Invite sent On Mon, Oct 22, 2018 at 9:26 AM Muhammed Irshad wrote: > Some one get me also the slack channel link ? > Thanks, > Muhammed Irshad > Q*Burst* > www.qburst.com > > > On Wed, Oct 17, 2018 at 7:33 PM Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > > Sent > > > > On Wed, Oc

Re: Metron Release 0.6.1 and/or Plugin release 0.3.0?

I agree with a metron-bro-plugin-kafka release of 0.3.0 (0.3 in bro-pkg), assuming we can get apache/metron-bro-plugin-kafka#2 in. I'm working on adding travis to the metron-bro-plugin-kafka repo, but I'm not sure when I will have enough time to finish my work there and wouldn't want to hold up a

Re: Bro plugin unit tests failing

p a version of the PR > template would be helpful. Maybe adding a section to the README.md linking > to the CONTRIBUTING.md of the main repo? > > On Sun, Oct 14, 2018 at 11:14 AM Otto Fowler > wrote: > >> It is INFRA, see INFRA-17091 for example. >> >> >> On

Bro plugin unit tests failing

So it seems that the last commit before the 0.2 release of metron-bro-plugin-kafka broke the one basic unit test that we had. Since metron 0.6.0 pins to 0.1 this wouldn't cause an obvious iss

Re: Bro plugin release process docs?

made/suggested. Since I assume we wouldn't want to make any changes to releases retroactively, I added a note to the cwiki to note the history (see "Historical Note" under section 5). Thanks, Jon On Thu, Oct 11, 2018 at 11:05 AM zeo...@gmail.com wrote: > Okay, I'll PR some

Re: Bro plugin release process docs?

le check if there's anything else that needs to happen to make sure > tags and such line up. > > On Thu, Oct 11, 2018 at 9:18 AM zeo...@gmail.com wrote: > > > Is there a reason why the prefix for apache/metron ends with a -, whereas > > the plugin ends with a _ se

Re: Bro plugin release process docs?

this point. The docs just need an overhaul, so someone who's not me knows > what to do. > > On Wed, Oct 10, 2018 at 7:01 PM zeo...@gmail.com wrote: > > > Yeah you're right when I looked closer to make the change it was step 10. > > I pushed a manual 0.2 tag to metro

Re: Bro plugin release process docs?

tps://github.com/apache/metron/blob/master/dev-utilities/release-utils/prepare-release-candidate#L245 > > > . > > On Wed, Oct 10, 2018 at 5:09 PM Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > > +1 to all of that from me, Jon. Thanks for taking care of t

Re: Bro plugin release process docs?

ce for now and I didn't miss a new place for the plugin release instructions. Jon On Wed, Oct 10, 2018 at 4:31 PM zeo...@gmail.com wrote: > So I was poking around on the plugin today and noticed that we have > a apache-metron-bro-plugin-kafka_0.2.0-release and > apache-metron-br

Re: Bro plugin release process docs?

could update the bro package manager, and finally update what the apache/metron full-dev environment(s) point to (0.2 as opposed to 0.1). Thanks, Jon On Mon, May 28, 2018 at 8:41 AM zeo...@gmail.com wrote: > I did a bit of poking around and I don't believe we ever formally wrote > that

Re: [DISCUSS] Split apart releases for core Metron and the Bro plugin

at 3:15 PM Casey Stella wrote: > > > +1 to defer for this release and complete separation. Good fences make > > good submodules. ;) > > > > On Fri, Sep 7, 2018 at 2:33 PM zeo...@gmail.com > wrote: > > > > > +1 to defer for this release and +

Re: Metron dev environments moving to require Ansible 2.4+

t; On September 28, 2018 at 11:45:14, zeo...@gmail.com (zeo...@gmail.com) > wrote: > > Do you mean this > <https://cwiki.apache.org/confluence/display/METRON/Downgrade+Ansible>? > It was the only reference I could find on the wiki. All of the READMEs > should be update

Re: Metron dev environments moving to require Ansible 2.4+

:15 AM Otto Fowler wrote: > We should make sure the non-source documentation is updated > > > On September 28, 2018 at 09:32:52, zeo...@gmail.com (zeo...@gmail.com) > wrote: > > Hi All, > > As it currently sits, once METRON-1758 > <https://github.com/apache/me

Metron dev environments moving to require Ansible 2.4+

Hi All, As it currently sits, once METRON-1758 is merged into the code base, Ansible 2.4 or later will be required to use any of the Metron ansible playbooks. This is in contrast to the prior version requirements outlined in Metron documentation which

Re: [DISCUSS] Metron Release 0.6.0?

upports it, we can add the extra patch version to reflect > this additional available state info. > > Best, > Mike > > > On Thu, Sep 6, 2018 at 7:34 PM zeo...@gmail.com wrote: > > > I'm not aware of the bro plugin artifacts being used in any way. > &

Re: [DISCUSS] Split apart releases for core Metron and the Bro plugin

+1 to defer for this release and +1 to Justin's suggested release/dist directory breakout and complete separation. Jon On Fri, Sep 7, 2018 at 1:43 PM Michael Miklavcic < michael.miklav...@gmail.com> wrote: > +1 to deferring for this release and having the separation like NiFi. Since > we're boot

Re: [DISCUSS] Feature branches post-merge

Yeah I don't have a good reason to suggest we keep 'em. so +1 to deleting old FBs. Jon On Fri, Sep 7, 2018 at 12:14 PM Nick Allen wrote: > +1 delete old feature branches. > > BTW, there is a branch out there called METRON-113 that we probably need to > clean-up. I'm not sure where that came fr

Re: [DISCUSS] Metron Release 0.6.0?

rather just get an RC out. > > On Thu, Sep 6, 2018 at 10:02 AM zeo...@gmail.com wrote: > > > Either is fine with me. If it's x.y in some parts of the app I prefer to > > keep it consistent throughout, but I'm also fine with lining up with > > Apache/Metron wh

Re: [DISCUSS] Metron Release 0.6.0?

ct being > 0.2? Or do we want to keep the mixed versioning and just live with it, at > least for now? > > On Wed, Sep 5, 2018 at 8:58 PM zeo...@gmail.com wrote: > > > I think mattf-horton just did that as a part of convention. He handled > > that part,

Re: [DISCUSS] Metron Release 0.6.0?

. Jon On Wed, Sep 5, 2018 at 8:28 PM Justin Leet wrote: > Any idea why we released it as 0.1.0 in the artifacts version? I'm fine > with doing x.y if we need to, but I would like the artifact versioning to > be consistent if possible. > > On Wed, Sep 5, 2018 at 8:26 PM zeo...

Re: [DISCUSS] Metron Release 0.6.0?

I lied, we didn't need to update our btests because it's limited to a major and minor version. https://github.com/apache/metron-bro-plugin-kafka/blob/master/src/Plugin.cc#L33-L34 Jon On Wed, Sep 5, 2018 at 8:10 PM zeo...@gmail.com wrote: > I looked into x.y.z back when we releas

Re: [DISCUSS] Metron Release 0.6.0?

t;> name > >> > > > (merrimanr) closes apache/metron#1055 > >> > > > 10 weeks ago METRON-1585 SolrRetrieveLatestDao does not use the > >> > > collection > >> > > > lookup (justinleet via merrimanr) closes apache/metron#1050

Re: IRC Channel -> OPS?

Isn't it Casey? Jon On Wed, Aug 29, 2018, 08:41 Otto Fowler wrote: > Who has ops in the irc channel? > Can you pop in and set the topic to something like: > “There is an ASF slack with an active metron channel, please email > dev@metron.apache.org and request an invite” > -- Jon

Re: [DISCUSS] Getting to a 1.0 release

hat as part of their evaluations. > > > > > > >> > “Look, it is going to have a security vault type thing, it > is > > on > > > > the > > > > > > >> roadmap”. > > >

Re: [ANNOUNCE] - Apache Metron Slack channel

Invite sent. Jon On Mon, Aug 27, 2018, 02:45 Ali Nazemian wrote: > Can I be invited as well? > > On Thu, Aug 16, 2018 at 4:37 AM Otto Fowler > wrote: > > > Done > > > > > > On August 15, 2018 at 14:22:45, Vets, Laurens (laur...@daemon.be) wrote: > > > > Could I be invited? > > > > On 15-Aug-18

Re: Need a slack invite

Invite sent. Jon On Mon, Aug 27, 2018, 03:36 Karthik D B wrote: > Hi Team, > I’m a non-ASF committers, I Would like to join the Metron Slack Channel. > pls. Send an invite. > Thanks, > Karthik DB -- Jon

[DISCUSS] Getting to a 1.0 release

So, as has been discussed in a few other recent dev

Re: [DISCUSS] Release cadence

I'm a fan of a hybrid time/feature-based cadence. Something like "When 3 months has passed since our last release, or a sufficiently complicated change has been introduced to master (like merging a FB), a discuss thread is started". I'm primarily thinking of what the upgrade path looks like (more

Re: [DISCUSS] Metron Release 0.6.0?

I agree - I would love to see a release not long after the PCAP FB gets into master, and 0.6.0 makes sense to me. I'd also like to see a 0.2 release of metron-bro-plugin-kafka. There is one new commit, and I have a PR open which is waiting on some tests before it's ready to be evaluated/merged.

Re: Knox SSO feature branch PRs: a quick demo

Nice run through Simon that was very helpful for me to catch up on the work you've been doing. Appreciate the focus on this too, when talking to others about Metron I have heard a few times that they were interested in features that it seems we will soon have. Hopefully I'll have a chance to take

Re: Bro plugin release process docs?

I did a bit of poking around and I don't believe we ever formally wrote that down. The last release happened as a combination of actions from mattf and myself (mostly mattf). The plugin has two new commits since the last release (1 bugfix 1 feature) - if we want to couple version 0.2 of the plugi

Re: [VOTE] Metron Release Candidate 0.5.0-RC1

We did discuss doing a release since there were two new commits, but I don't think it was included in this round. Jon On Sat, May 26, 2018, 10:22 Otto Fowler wrote: > Is there a BRO RC # for this? > > > On May 25, 2018 at 14:53:25, Nick Allen (n...@nickallen.org) wrote: > > +1 Release this pack

Re: [DISCUSS] Pcap panel architecture

gt; On Thu, May 10, 2018 at 2:47 PM, zeo...@gmail.com > wrote: > > > At the very least there needs to be the ability to share downloaded PCAPs > > with other users and/or have roles that can see all pcaps. A platform > > engineer may want to clean up old pcaps after x

Re: [DISCUSS] Pcap panel architecture

At the very least there needs to be the ability to share downloaded PCAPs with other users and/or have roles that can see all pcaps. A platform engineer may want to clean up old pcaps after x time, or a manger may ask an analyst to find all of the traffic that exhibits xyz behavior, dump a pcap, a

Re: [DISCUSS] Release?

; On Wed, May 9, 2018 at 12:13 PM, Michael Miklavcic < > > > michael.miklav...@gmail.com> wrote: > > > > > > > I'm also a +1 on 0.5.0. This is a fairly big release. > > > > > > > > On Wed, May 9, 2018 at 12:05 PM, Nick Allen > &

Re: [DISCUSS] Pcap UI user requirements

's a java > BPF implementation? Also, keep in mind that our query mechanism is a map > and a reduce job, so any filtering system which depends on state (e.g. > previous packets by time) is going to trigger another architecture. > > On Mon, May 7, 2018 at 4:05 PM zeo...@gmail.com

Re: [DISCUSS] Pcap UI user requirements

> NEW_SAVING, SUBMITTED, ACCEPTED, RUNNING, FINISHED, FAILED, KILLED" > > Same goes for MR job commands: > > https://hadoop.apache.org/docs/stable/hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html#job > > Mike > > On Mon, May 7, 2018 at 2:04 PM, z

Re: [DISCUSS] Release?

the > other major ES and Solr changes. > > On Wed, May 9, 2018 at 12:13 PM, Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > > I'm also a +1 on 0.5.0. This is a fairly big release. > > > > On Wed, May 9, 2018 at 12:05 PM, Nick Allen wrote: &g

Re: [DISCUSS] Release?

months ago METRON-939: Upgrade ElasticSearch and Kibana (mmiklavc via > mmiklavc) closes apache/metron#840 > > > https://lists.apache.org/thread.html/01fb18dd0ee10845588c0c1a4b3f2f36d7a107c66edd2247f61756c1@%3Cdev.metron.apache.org%3E > > On Wed, May 9, 2018 at 11:18 AM, zeo...@gma

Re: [DISCUSS] Pcap panel architecture

This looks really great and gets me excited to maybe revisit some old conversations about PCAP capture in Metron. The only thing that I think it's missing is the ability to filter using bpf. I think the same thing can technically be accomplished by using packet_filter and I wouldn't throw a fit i

Re: [DISCUSS] Release?

We should also mention the Upgrade of ElasticSearch and Kibana Jon On Wed, May 9, 2018 at 12:49 PM Nick Allen wrote: > Oh, and also the Solr work that is currently in a feature branch. We would > have to get the work finished up and merged though. Sounds like we are > real close on that. > >

Re: [DISCUSS] Pcap UI user requirements

>From my perspective PCAP is primarily used as a follow-on to an alert or meta-alert - people very rarely use PCAP for initial hunting. I know this has been brought up by Otto, Mike, and Ryan across the two related threads and I think it's all spot on. Going from an alert or meta-alert to pulling

Re: [VOTE] Development Guidelines Addendum on Inactive Pull Requests

+1 (non-binding) On Fri, Apr 20, 2018 at 9:42 AM Michel Sumbul wrote: > +1 > > 2018-04-20 14:40 GMT+01:00 Otto Fowler : > > > +1 > > > > > > On April 20, 2018 at 09:30:30, Nick Allen (n...@nickallen.org) wrote: > > > > I am proposing the following addition to the project's development > > guidel

Re: GeoLite deprecating legacy DBs

r are you referring to the old geo > enrichment? > > > > Simon > > > > > > > On 13 Apr 2018, at 10:27, zeo...@gmail.com wrote: > > > > > > Looks like we will need to update the Geo DBs that we use for > enrichment. > > > > > > > &g

GeoLite deprecating legacy DBs

Looks like we will need to update the Geo DBs that we use for enrichment. Updated versions of the GeoLite Legacy databases are now only available to redistribution license customers, although anyone can continue to download the March 2018 GeoLite Legacy builds. Starting January 2, 2019, the last

Re: Secure code analysis

issions dating back to 2017-02-13, > but > > > > Oh, great. > > ​So your general impression based on those submissions is that this would > > be useful for us? > > > > I didn't realize that you had already been reviewing the output of the > tool > > o

Re: [DISCUSS] Generic Syslog Parsing capability for parsers

So I've kept my ear to the ground regarding this topic for a while now, and had some conversations a year or so ago about the idea as well. At the very least, I think having the concept of a pre-parser is a good one, if not chaining an arbitrary number of parsers together. I see this as an import

Re: [DISCUSS] Split Elasticsearch and Kibana into separate MPack from Metron

I agree, the first approach makes the most sense to me. Jon On Wed, Feb 21, 2018 at 11:45 AM Nick Allen wrote: > +1 to the first approach, as you've laid it out. That makes the most sense > to me. We need a way to rev the version of the ES Mpack independent of the > ES version. > > On Wed, Fe

Re: metron-bro-plugin kafka

bro 2.5.2 logs (link <https://github.com/apache/metron/pull/844>). They should find their way into the plugin README eventually. Jon On Tue, Feb 13, 2018 at 6:35 AM bharath phatak wrote: > Hi Jon, > > Other than Known::DEVICES_LOG rest all worked. > > Thanks, >

Re: metron-bro-plugin kafka

Try redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, FTP::LOG, Files::LOG, Known::CERTS_LOG, SMTP::LOG, SSL::LOG, Weird::LOG, Notice::LOG, DHCP::LOG, SSH::LOG, Software::LOG, RADIUS::LOG, X509::LOG, Known::DEVICES_LOG, RFB::LOG, Stats::LOG, CaptureLoss::LOG, SIP::LOG); No

DataWorks Summit San Jose

Hi All, Just a heads up that *the San Jose DataWorks Summit's call for papers is coming to a close soon *(February 9th, in 2 days!). If you are doing anything cool with open source big data and security that you want to talk about, please submit to the Cyber Security track. I'm hoping to attend

Re: [DISCUSS] Profiler Enhancement

Scenario 2 is one that I'm specifically interested in, I have that exact use case right now. I can see Scenario 1 being useful in the future as well. I'm also interested in a conversation along the lines of what Otto brought up (i.e. I would like to re-ingest data to redo parsing, enrichments, et

[REQUEST] Add Ian as an Assignee in JIRA

Can someone add Ian Abreu as a potential assignee on JIRA? He has a PR open against his ticket in the bro plugin repo. Thanks, Jon -- Jon

Re: Metron User Community Meeting Call

Thanks Otto, I'm in to attend at that time/place. Jon On Thu, Jan 25, 2018, 14:45 Otto Fowler wrote: > I would like to propose a Metron user community meeting. I propose that we > set the meeting next week, and will throw out Wednesday, January 31st at > 09:30AM PST, 12:30 on the East Coast and

Re: [DISCUSS] Update Metron Elasticsearch index names to metron_

I agree with having a metron_ prefix for ES indexes, and the timing. Jon On Wed, Jan 24, 2018 at 3:20 PM Michael Miklavcic < michael.miklav...@gmail.com> wrote: > With the completion of https://github.com/apache/metron/pull/840 > (METRON-939: Upgrade ElasticSearch and Kibana), we have the making

Re: [DISCUSS] Time to remove github updates from dev?

I would give that +1 as well. Jon On Fri, Jan 19, 2018 at 3:32 PM Casey Stella wrote: > I could get behind that. > > On Fri, Jan 19, 2018 at 3:31 PM, Andre wrote: > > > Folks, > > > > May I suggest Metron follows the NiFi mailing list strategy (we got > > inspired by another project but I don

Re: Anand is a new Committer!

Welcome aboard, Anand! Congrats Jon On Thu, Jan 11, 2018 at 10:41 AM Otto Fowler wrote: > Congratulations and welcome Anand! > > > On January 11, 2018 at 09:29:24, Casey Stella (ceste...@gmail.com) wrote: > > The Project Management Committee (PMC) for Apache Metron has invited Anand > Subraman

Re: Secure code analysis

revious releases to Veracode to see if we > get actionable results? > > > > > > On Thu, Dec 21, 2017 at 10:48 AM, zeo...@gmail.com > wrote: > > > Just following up on this conversation again - > > > > I have discussed this ad-hoc with a few PMC members r

Re: Secure code analysis

7;m happy to play around with this and see how it could be useful, but in order to do so I need to get some additional authorization. Does anybody have any concerns with delegating this access to me, or with this general approach? Jon On Fri, Dec 16, 2016 at 11:39 AM James Sirota wrote: >

  1   2   3   >