[Bro] Bro-IDS and Logstash....a start

Jeff Geiger jeff.geiger at gmail.com
Fri Oct 25 13:23:01 PDT 2013 

James,  Check this out for a quick way to get grok filters and a stub
config for logstash:  http://brostash.herokuapp.com/


On Thu, Oct 24, 2013 at 4:48 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> And away we go!  Snag logstash
> (
> https://download.elasticsearch.org/logstash/logstash/logstash-1.2.1-flatjar.jar
> ),
> make a dir and put it in there, create a file (logstash.conf) and add:
>
> input {
>          file {
>                  path => "/usr/local/bro/spool/bro/conn.log"
>          }
> }
>
> filter {
>          grok {
>                  match => [ "message",
>
> "%{BASE10NUM:unixtime}\t%{WORD:uid}\t%{IP:src_ip}\t%{BASE10NUM:src_port}\t%{IP:dst_ip}\t%{BASE10NUM:dst_port}\t%{WORD:proto}\t%{USERNAME:service}\t%{USERNAME:sec_dur}\t%{USERNAME:orig_bytes}\t%{USERNAME:resp_bytes}\t%{WORD:conn_state}\t%{WORD:local_orig}\t%{INT:missed_bytes}\t%{WORD:history}\t%{USERNAME:orig_packets}\t%{INT:orig_ip_bytes}\t%{INT:resp_packets}\t%{INT:resp_bytes}\t%{DATA:tun_parent}"
> ]
>          }
>          geoip {
>                  source => "src_ip"
>                  target => "src_geoip"
>                  fields => [ "ip", "country_code2", "country_name",
> "latitude", "longitude" ]
>                  add_field => [ "coordinates",
> "%{[src_geoip][longitude]},%{[src_geoip][latitude]}" ]
>                  add_field => [ "srccountry",
> "%{[src_geoip][country_code2]}"]
>          }
>          geoip {
>                  source => "dst_ip"
>                  target => "dst_geoip"
>                  fields => [ "ip", "country_code2", "country_name",
> "latitude", "longitude" ]
>                  add_field => [ "coordinates",
> "%{[dst_geoip][longitude]},%{[dst_geoip][latitude]}" ]
>                  add_field => [ "dstcountry",
> "%{[dst_geoip][country_code2]}"]
>          }
>
> }
> output {
>          elasticsearch { embedded => true }
> }
>
> start with:
> sudo java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
>
> If you're local on net point your firefox to yourmachine:9292, I needed
> to tunnel 9200, 9300, and 9301 to get it to work remotely.  That's all I
> got currently..more to come I hope.  Enjoy!
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131025/3801e5d1/attachment.html

More information about the Bro mailing list