[Bro] Web GUI for Bro?

project722 project722 at gmail.com
Wed Jan 25 13:55:40 PST 2017 

This ELK/Bro combo is turning out to be more of a learning curve than I has
hoped for. I can get the logs over to elasticsearch and into Kibana, but I
can only see them on the "Discovery" tab. I save the search to use with a
visualization, but it wants to do something by "count" and its not breaking
down the connections in conn.log and graphing them like I had hoped for.
Here is my logstash conf file.

input {
  stdin { }
  file {
    path => "/opt/bro/logs/current/*.log"
    start_position => "beginning"
  }
}

filter {
  if [message] =~
/^(\d+\.\d{6}\s+\S+\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+\S+\s+\S+\s+\S+\s+\S+\s+[^:]+::\S+\s+[^:]+::\S+\s+\S+(?:\s\S+)*$)/
{
    grok{
      patterns_dir => "/opt/logstash/custom_patterns"
      match => {
        message => "%{291009}"
      }
      add_field => [ "rule_id", "291009" ]
      add_field => [ "Device Type", "IPSIDSDevice" ]
      add_field => [ "Object", "Process" ]
      add_field => [ "Action", "General" ]
      add_field => [ "Status", "Informational" ]
    }
  }

  #translate {
  #  field => "evt_dstip"
  #  destination => "malicious_IP"
  #   dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
  #}
  #translate {
  #  field => "evt_srcip"
  #  destination => "malicious_IP"
  #  dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
  #}
  #translate {
  #  field => "md5"
  #  destination => "maliciousMD5"
  #  dictionary_path => '/opt/logstash/maliciousMD5.yaml'
  #}
  #date {
  #  match => [ "start_time", "UNIX" ]
  #}


}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }

In Kibana under the Discover tab I can see my messages from conn.log. How
can I get this data properly graphed and broken down more like how the
connection summary emails are broken down?

January 25th 2017, 15:52:57.702
1485381116.563095 CN2Wu7l8JEjji3ht3 192.168.100.102 58128 192.168.100.103
161 udp snmp 0.010298 53 53 SF T T 0 Dd 1 81 1 81 (empty)

On Wed, Jan 25, 2017 at 3:27 PM, Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:

> Hi,
>
> Check my docker project.
>
> https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/
>
> The quick way :
>
> export DOCKERHOST="<ip>:8080"
> wget https://raw.githubusercontent.com/danielguerra69/bro-debian-
> elasticsearch/master/docker-compose.yml
> docker-compose pull
> docker-compose up
>
> You can send pcap data with pcap to port 1969 “nc dockerip 1969 <
> mypcapfile”
>
> After this open your browser to dockerip:5601 for kibana, its
> preconfigured with some
> queries and desktops.
>
>
> On 25 Jan 2017, at 14:48, project722 <project722 at gmail.com> wrote:
>
> Thanks All. I am looking into ELK.
>
> On Tue, Jan 24, 2017 at 2:44 AM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
>
>> As said before ELK is your best bet. Here is a link that may interest
>> you. The learning curve may be steep but it is worth it in the end
>> (assuming you are putting this together yourself and not a all in one
>> solution that provides it for you) when you can query logs as easily as a
>> google search and visualise.
>>
>> https://www.elastic.co/blog/bro-ids-elastic-stack
>>
>> Also you could use security oniion and it uses ELSA to present these logs
>> although my preference these days because of its easier ability I find to
>> add in new data sources would be ELK (i.e once you understand logstash and
>> parsing logs you can easily parse any log you have to correlate Bro, IDS,
>> network and even host logs).
>>
>> https://github.com/mcholste/elsa
>> http://blog.bro.org/2012/01/monster-logs.html
>>
>> On 21 January 2017 at 11:54, project722 <project722 at gmail.com> wrote:
>>
>>> Got Bro 2.4.1 working on a RHEL 6 system. Can anyone provide suggestions
>>> on what I should use as a web GUI for bro? What is the best options out
>>> there? NOTE - my version of Bro was compiled from source.
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>>
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/92eb61e1/attachment-0001.html

More information about the Bro mailing list