[Bro] Web GUI for Bro?

James Lay jlay at slave-tothe-box.net
Thu Jan 26 05:37:33 PST 2017


Oh yea that's a lot easier...thanks for that Craig!
James
On Thu, 2017-01-26 at 07:40 -0500, Craig Pluchinsky wrote:
> I started to use the csv filter instead of grok.  Just change the 
> delimiter to a literal tab.  Also make sure to not use "." in the
> column 
> names.  I just copied the bro field names.
> 
>    if [type] == "bro_conn" {
>      csv {
>        columns => [ 
> "ts","uid","orig_h","orig_p","resp_h","resp_p","proto","service","dur
> ation","orig_bytes","resp_bytes","conn_state","local_orig","local_res
> p","missed_bytes","history","orig_pkts","orig_ip_bytes","resp_pkts","
> resp_ip_bytes","tunnel_parents","peer_descr","orig_cc","resp_cc" 
> ]
>        separator => "    "
>      }
>    }
> 
> 
> 
> -------------------------------
> Craig Pluchinsky
> IT Services
> Indiana University of Pennsylvania
> 724-357-3327
> 
> 
> On Wed, 25 Jan 2017, James Lay wrote:
> 
> > On 2017-01-25 14:55, project722 wrote:
> >> This ELK/Bro combo is turning out to be more of a learning curve
> than
> >> I has hoped for. I can get the logs over to elasticsearch and into
> >> Kibana, but I can only see them on the "Discovery" tab. I save the
> >> search to use with a visualization, but it wants to do something
> by
> >> "count" and its not breaking down the connections in conn.log and
> >> graphing them like I had hoped for. Here is my logstash conf file.
> >> 
> >> input {
> >>   stdin { }
> >>   file {
> >>     path => "/opt/bro/logs/current/*.log"
> >>     start_position => "beginning"
> >>   }
> >> }
> >> 
> >> filter {
> >>   if [message] =~
> >> /^(\d+\.\d{6}\s+\S+\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-
> )\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-
> )\s+\S+\s+\S+\s+\S+\s+\S+\s+[^:]+::\S+\s+[^:]+::\S+\s+\S+(?:\s\S+)*$)
> /
> >> {
> >>     grok{
> >>       patterns_dir => "/opt/logstash/custom_patterns"
> >>       match => {
> >>         message => "%{291009}"
> >>       }
> >>       add_field => [ "rule_id", "291009" ]
> >>       add_field => [ "Device Type", "IPSIDSDevice" ]
> >>       add_field => [ "Object", "Process" ]
> >>       add_field => [ "Action", "General" ]
> >>       add_field => [ "Status", "Informational" ]
> >>     }
> >>   }
> >>
> >>   #translate {
> >>   #  field => "evt_dstip"
> >>   #  destination => "malicious_IP"
> >>   #   dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
> >>   #}
> >>   #translate {
> >>   #  field => "evt_srcip"
> >>   #  destination => "malicious_IP"
> >>   #  dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
> >>   #}
> >>   #translate {
> >>   #  field => "md5"
> >>   #  destination => "maliciousMD5"
> >>   #  dictionary_path => '/opt/logstash/maliciousMD5.yaml'
> >>   #}
> >>   #date {
> >>   #  match => [ "start_time", "UNIX" ]
> >>   #}
> >> 
> >> }
> >> 
> >> output {
> >>   elasticsearch { hosts => ["localhost:9200"] }
> >>   stdout { codec => rubydebug }
> >> 
> >> In Kibana under the Discover tab I can see my messages from
> conn.log.
> >> How can I get this data properly graphed and broken down more like
> how
> >> the connection summary emails are broken down?
> >>
> >>              January 25th 2017, 15:52:57.702
> >> 
> >> 1485381116.563095 CN2Wu7l8JEjji3ht3 192.168.100.102 58128
> >> 192.168.100.103 161 udp snmp 0.010298 53 53 SF T T 0 Dd 1 81 1 81
> >> (empty)
> >> 
> >> On Wed, Jan 25, 2017 at 3:27 PM, Daniel Guerra
> >> <daniel.guerra69 at gmail.com> wrote:
> >> 
> >>> Hi,
> >>> 
> >>> Check my docker project.
> >>> 
> >>> https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ [
> 1]
> >>> 
> >>> The quick way :
> >>> 
> >>> export DOCKERHOST="<ip>:8080"
> >>> wget
> >>> 
> >> https://raw.githubusercontent.com/danielguerra69/bro-debian-elasti
> csearch/master/docker-compose.yml
> >>> [2]
> >>> docker-compose pull
> >>> docker-compose up
> >>> 
> >>> You can send pcap data with pcap to port 1969 “nc dockerip 1969 <
> >>> mypcapfile”
> >>> 
> >>> After this open your browser to dockerip:5601 for kibana, its
> >>> preconfigured with some
> >>> queries and desktops.
> >>> 
> >>> On 25 Jan 2017, at 14:48, project722 <project722 at gmail.com>
> wrote:
> >>> 
> >>> Thanks All. I am looking into ELK.
> >>> 
> >>> On Tue, Jan 24, 2017 at 2:44 AM, Kevin Ross
> >>> <kevross33 at googlemail.com> wrote:
> >>> 
> >>> As said before ELK is your best bet. Here is a link that may
> >>> interest you. The learning curve may be steep but it is worth it
> in
> >>> the end (assuming you are putting this together yourself and not
> a
> >>> all in one solution that provides it for you) when you can query
> >>> logs as easily as a google search and visualise.
> >>> 
> >>> https://www.elastic.co/blog/bro-ids-elastic-stack [3]
> >>> 
> >>> Also you could use security oniion and it uses ELSA to present
> these
> >>> logs although my preference these days because of its easier
> ability
> >>> I find to add in new data sources would be ELK (i.e once you
> >>> understand logstash and parsing logs you can easily parse any log
> >>> you have to correlate Bro, IDS, network and even host logs).
> >>> 
> >>> https://github.com/mcholste/elsa [4]
> >>> http://blog.bro.org/2012/01/monster-logs.html [5]
> >>> 
> >>> On 21 January 2017 at 11:54, project722 <project722 at gmail.com>
> >>> wrote:
> >>> 
> >>> Got Bro 2.4.1 working on a RHEL 6 system. Can anyone provide
> >>> suggestions on what I should use as a web GUI for bro? What is
> the
> >>> best options out there? NOTE - my version of Bro was compiled
> from
> >>> source.
> >>> 
> >
> > Mod this to your liking and see how it goes:
> >
> > #####
> > input {
> >         file {
> >                 type => "connlog"
> >                 path => "/usr/local/bro/spool/bro/conn.log"
> >                 sincedb_path => "/var/lib/logstash/.sincedbconn"
> >         }
> >
> >         file {
> >                 type => "ssllog"
> >                 path => "/usr/local/bro/spool/bro/ssl.log"
> >                 sincedb_path => "/var/lib/logstash/.sincedbssl"
> >         }
> > }
> >
> > filter {
> >         #bro conn.log
> >         if [type] == "connlog" {
> >                 if [message] =~ "^#" {
> >                         drop { }
> >                 } else {
> >                         grok {
> >                                 match => [ "message", 
> >
> "(?(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*
> ?))\t(?(.*?))\t(?(.*?))\t(?(.*?))\t(?
> e>(.*?))\t(?(.*?))\t(?(.*?))\t(?(.*
> ?))\t(?(.*?))\t(?(.*?))\t(?(.*?))
> \t(?(.*?))\t(?(.*?))\t(?(.*?))\t(
> ?(.*?))\t(?(.*?))\t(?(.*?)
> )\t(?(.*)))" 
> > ]
> >                         }
> >                 }
> >         }
> >
> >         #bro ssl.log
> >         if [type] == "ssllog" {
> >                 if [message] =~ "^#" {
> >                         drop { }
> >                 } else {
> >                         grok {
> >                                 match => [ "message", 
> >
> "(?(.*?))\t%{DATA:uid}\t%{DATA:src_ip}\t%{DATA:src_port}\t%
> {DATA:dst_ip}\t%{DATA:dst_port}\t%{DATA:version}\t%{DATA:cipher}\t%{D
> ATA:curve}\t%{DATA:hostname}\t%{DATA:resumed}\t%{DATA:last_alert}\t%{
> DATA:next_protocol}\t%{DATA:established}\t%{DATA:cert_chain_fuids}\t%
> {DATA:client_cert_chain_fuids}\t%{DATA:subject}\t%{DATA:issuer}\t%{DA
> TA:client_subject}\t%{DATA:client_issuer}\t%{DATA:validation_status}\
> t%{DATA:notary.first_seen}\t%{DATA:notary.last_seen}\t%{DATA:notary.t
> imes_seen}\t%{DATA:notary.valid}" 
> > ]
> >                         }
> >                 }
> >         }
> >                 #geoip source
> >                 geoip {
> >                         source => "src_ip"
> >                         target => "src_geoip"
> >                 }
> >
> >                 #geoip destination
> >                 geoip {
> >                         source => "dst_ip"
> >                         target => "dst_geoip"
> >                 }
> >
> >                 mutate {
> >                         convert => [ "resp_bytes", "integer" ]
> >                         convert => [ "resp_ip_bytes", "integer" ]
> >                         convert => [ "orig_bytes", "integer" ]
> >                         convert => [ "orig_ip_bytes", "integer" ]
> >                         convert => [ "src_port", "integer" ]
> >                         convert => [ "dst_port", "integer" ]
> >                         gsub => [
> >                                 "src_geoip.country_name", "[ ]",
> "_",
> >                                 "dst_geoip.country_name", "[ ]",
> "_",
> >                                 "proto", "tcp", "TCP",
> >                                 "proto", "udp", "UDP",
> >                                 "proto", "icmp", "ICMP"
> >                         ]
> >                 }
> > }
> >
> > output {
> >         #uncomment below for testing
> >         #stdout { codec => rubydebug }
> >         elasticsearch { }
> > }
> > ####
> >
> > James
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/9d1e675c/attachment-0001.html 


More information about the Bro mailing list