Working on getting around to building a Splunk Bro IDS App that populates the field to build Use cases around current deployment. In the process of building a Splunk BRO IDS app, managed to get a script together to do the fields extractions. We will call it bro_extractor.sh. This bash script is to be run in /var/log/bro/current or wherever your current logs are stored. Example of output:
This file provides regex extraction for bro SSL logs with the JA3 option included.