[Bro] Web GUI for Bro?
James Lay
jlay at slave-tothe-box.net
Wed Jan 25 14:02:50 PST 2017
On 2017-01-25 14:55, project722 wrote:
> This ELK/Bro combo is turning out to be more of a learning curve than
> I has hoped for. I can get the logs over to elasticsearch and into
> Kibana, but I can only see them on the "Discovery" tab. I save the
> search to use with a visualization, but it wants to do something by
> "count" and its not breaking down the connections in conn.log and
> graphing them like I had hoped for. Here is my logstash conf file.
>
> input {
> stdin { }
> file {
> path => "/opt/bro/logs/current/*.log"
> start_position => "beginning"
> }
> }
>
> filter {
> if [message] =~
> /^(\d+\.\d{6}\s+\S+\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+\S+\s+\S+\s+\S+\s+\S+\s+[^:]+::\S+\s+[^:]+::\S+\s+\S+(?:\s\S+)*$)/
> {
> grok{
> patterns_dir => "/opt/logstash/custom_patterns"
> match => {
> message => "%{291009}"
> }
> add_field => [ "rule_id", "291009" ]
> add_field => [ "Device Type", "IPSIDSDevice" ]
> add_field => [ "Object", "Process" ]
> add_field => [ "Action", "General" ]
> add_field => [ "Status", "Informational" ]
> }
> }
>
> #translate {
> # field => "evt_dstip"
> # destination => "malicious_IP"
> # dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
> #}
> #translate {
> # field => "evt_srcip"
> # destination => "malicious_IP"
> # dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
> #}
> #translate {
> # field => "md5"
> # destination => "maliciousMD5"
> # dictionary_path => '/opt/logstash/maliciousMD5.yaml'
> #}
> #date {
> # match => [ "start_time", "UNIX" ]
> #}
>
> }
>
> output {
> elasticsearch { hosts => ["localhost:9200"] }
> stdout { codec => rubydebug }
>
> In Kibana under the Discover tab I can see my messages from conn.log.
> How can I get this data properly graphed and broken down more like how
> the connection summary emails are broken down?
>
> January 25th 2017, 15:52:57.702
>
> 1485381116.563095 CN2Wu7l8JEjji3ht3 192.168.100.102 58128
> 192.168.100.103 161 udp snmp 0.010298 53 53 SF T T 0 Dd 1 81 1 81
> (empty)
>
> On Wed, Jan 25, 2017 at 3:27 PM, Daniel Guerra
> <daniel.guerra69 at gmail.com> wrote:
>
>> Hi,
>>
>> Check my docker project.
>>
>> https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ [1]
>>
>> The quick way :
>>
>> export DOCKERHOST="<ip>:8080"
>> wget
>>
> https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/master/docker-compose.yml
>> [2]
>> docker-compose pull
>> docker-compose up
>>
>> You can send pcap data with pcap to port 1969 “nc dockerip 1969 <
>> mypcapfile”
>>
>> After this open your browser to dockerip:5601 for kibana, its
>> preconfigured with some
>> queries and desktops.
>>
>> On 25 Jan 2017, at 14:48, project722 <project722 at gmail.com> wrote:
>>
>> Thanks All. I am looking into ELK.
>>
>> On Tue, Jan 24, 2017 at 2:44 AM, Kevin Ross
>> <kevross33 at googlemail.com> wrote:
>>
>> As said before ELK is your best bet. Here is a link that may
>> interest you. The learning curve may be steep but it is worth it in
>> the end (assuming you are putting this together yourself and not a
>> all in one solution that provides it for you) when you can query
>> logs as easily as a google search and visualise.
>>
>> https://www.elastic.co/blog/bro-ids-elastic-stack [3]
>>
>> Also you could use security oniion and it uses ELSA to present these
>> logs although my preference these days because of its easier ability
>> I find to add in new data sources would be ELK (i.e once you
>> understand logstash and parsing logs you can easily parse any log
>> you have to correlate Bro, IDS, network and even host logs).
>>
>> https://github.com/mcholste/elsa [4]
>> http://blog.bro.org/2012/01/monster-logs.html [5]
>>
>> On 21 January 2017 at 11:54, project722 <project722 at gmail.com>
>> wrote:
>>
>> Got Bro 2.4.1 working on a RHEL 6 system. Can anyone provide
>> suggestions on what I should use as a web GUI for bro? What is the
>> best options out there? NOTE - my version of Bro was compiled from
>> source.
>>
Mod this to your liking and see how it goes:
#####
input {
file {
type => "connlog"
path => "/usr/local/bro/spool/bro/conn.log"
sincedb_path => "/var/lib/logstash/.sincedbconn"
}
file {
type => "ssllog"
path => "/usr/local/bro/spool/bro/ssl.log"
sincedb_path => "/var/lib/logstash/.sincedbssl"
}
}
filter {
#bro conn.log
if [type] == "connlog" {
if [message] =~ "^#" {
drop { }
} else {
grok {
match => [ "message",
"(?<unixtime>(.*?))\t(?<uid>(.*?))\t(?<src_ip>(.*?))\t(?<src_port>(.*?))\t(?<dst_ip>(.*?))\t(?<dst_port>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<local_resp>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_packts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_packts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tun_parent>(.*)))"
]
}
}
}
#bro ssl.log
if [type] == "ssllog" {
if [message] =~ "^#" {
drop { }
} else {
grok {
match => [ "message",
"(?<unixtime>(.*?))\t%{DATA:uid}\t%{DATA:src_ip}\t%{DATA:src_port}\t%{DATA:dst_ip}\t%{DATA:dst_port}\t%{DATA:version}\t%{DATA:cipher}\t%{DATA:curve}\t%{DATA:hostname}\t%{DATA:resumed}\t%{DATA:last_alert}\t%{DATA:next_protocol}\t%{DATA:established}\t%{DATA:cert_chain_fuids}\t%{DATA:client_cert_chain_fuids}\t%{DATA:subject}\t%{DATA:issuer}\t%{DATA:client_subject}\t%{DATA:client_issuer}\t%{DATA:validation_status}\t%{DATA:notary.first_seen}\t%{DATA:notary.last_seen}\t%{DATA:notary.times_seen}\t%{DATA:notary.valid}"
]
}
}
}
#geoip source
geoip {
source => "src_ip"
target => "src_geoip"
}
#geoip destination
geoip {
source => "dst_ip"
target => "dst_geoip"
}
mutate {
convert => [ "resp_bytes", "integer" ]
convert => [ "resp_ip_bytes", "integer" ]
convert => [ "orig_bytes", "integer" ]
convert => [ "orig_ip_bytes", "integer" ]
convert => [ "src_port", "integer" ]
convert => [ "dst_port", "integer" ]
gsub => [
"src_geoip.country_name", "[ ]", "_",
"dst_geoip.country_name", "[ ]", "_",
"proto", "tcp", "TCP",
"proto", "udp", "UDP",
"proto", "icmp", "ICMP"
]
}
}
output {
#uncomment below for testing
#stdout { codec => rubydebug }
elasticsearch { }
}
####
James
More information about the Bro
mailing list