[Bro] Bro-IDS and Logstash....a start
James Lay
jlay at slave-tothe-box.net
Thu Oct 24 14:48:10 PDT 2013
And away we go! Snag logstash
(https://download.elasticsearch.org/logstash/logstash/logstash-1.2.1-flatjar.jar),
make a dir and put it in there, create a file (logstash.conf) and add:
input {
file {
path => "/usr/local/bro/spool/bro/conn.log"
}
}
filter {
grok {
match => [ "message",
"%{BASE10NUM:unixtime}\t%{WORD:uid}\t%{IP:src_ip}\t%{BASE10NUM:src_port}\t%{IP:dst_ip}\t%{BASE10NUM:dst_port}\t%{WORD:proto}\t%{USERNAME:service}\t%{USERNAME:sec_dur}\t%{USERNAME:orig_bytes}\t%{USERNAME:resp_bytes}\t%{WORD:conn_state}\t%{WORD:local_orig}\t%{INT:missed_bytes}\t%{WORD:history}\t%{USERNAME:orig_packets}\t%{INT:orig_ip_bytes}\t%{INT:resp_packets}\t%{INT:resp_bytes}\t%{DATA:tun_parent}"
]
}
geoip {
source => "src_ip"
target => "src_geoip"
fields => [ "ip", "country_code2", "country_name",
"latitude", "longitude" ]
add_field => [ "coordinates",
"%{[src_geoip][longitude]},%{[src_geoip][latitude]}" ]
add_field => [ "srccountry",
"%{[src_geoip][country_code2]}"]
}
geoip {
source => "dst_ip"
target => "dst_geoip"
fields => [ "ip", "country_code2", "country_name",
"latitude", "longitude" ]
add_field => [ "coordinates",
"%{[dst_geoip][longitude]},%{[dst_geoip][latitude]}" ]
add_field => [ "dstcountry",
"%{[dst_geoip][country_code2]}"]
}
}
output {
elasticsearch { embedded => true }
}
start with:
sudo java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
If you're local on net point your firefox to yourmachine:9292, I needed
to tunnel 9200, 9300, and 9301 to get it to work remotely. That's all I
got currently..more to come I hope. Enjoy!
James
More information about the Bro
mailing list