metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Leet <justinjl...@gmail.com>
Subject Re: [DISCUSS] Bro Zeppelin dashboards
Date Wed, 01 Mar 2017 13:49:51 GMT
For the short term discussion, I'm assuming what we have right now.  I'm
looking at DNS right now, and will use that as a starting point, but I
think the discussion is still valuable for the other components.  We may or
may not want to either expand out that one dashboard or have multiple
dashboards to handle various facets.

For the longer term, I imagine we'd want to cover Bro more comprehensively,
and to what extent that's needed is part of the discussion.

Basically the way I'm looking at this is DNS for now -> iterate to what we
have as needed -> expand to what we don't have as needed.

Justin

On Wed, Mar 1, 2017 at 8:46 AM, Nick Allen <nick@nickallen.org> wrote:

> Will the dashboard be focused on all Bro inputs or just one, like DNS?
>
> On Wed, Mar 1, 2017 at 8:21 AM, Justin Leet <justinjleet@gmail.com> wrote:
>
> > Similar to the YAF dashboard from https://issues.apache.
> > org/jira/browse/METRON-676, it would be nice to have a similar Zeppelin
> > dashboard for Bro.
> >
> > Couple topics we can include
> >
> >    - Number of total queries per hour
> >    - Geo-location frequency
> >    - Top sites requests vs non-top requests
> >
> > The Alexa requests tie in with https://issues.apache.
> > org/jira/browse/METRON-709, specifically the part about modifying Bro
> > configs to use the data.  There's been some discussion on where that
> lives
> > and how it's managed, so we won't be able to do much with it right now.
> >
> > Is there anything else we'd consider essential in our first pass?  Or
> > anything we'd like to iterate on in the future? I'm not an expert in how
> > Bro data actually looks in practice, so I'd love to get some input on
> > features that would be nice to have.
> >
> > For these types of dashboards, there's also the question of, using top
> > sites as an example, of "If this user doesn't have top sites data, is
> there
> > anything we can do in Zeppelin about hiding or not displaying that
> > paragraph?". I don't believe there's a built in way to handle that (but
> > again, I could be wrong), so it might involve being a bit more verbose in
> > what we actually do in the paragraphs.
> >
> > Justin
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message