[Bro] Web GUI for Bro?

James Lay jlay at slave-tothe-box.net
Wed Jan 25 14:02:50 PST 2017


On 2017-01-25 14:55, project722 wrote:
> This ELK/Bro combo is turning out to be more of a learning curve than
> I has hoped for. I can get the logs over to elasticsearch and into
> Kibana, but I can only see them on the "Discovery" tab. I save the
> search to use with a visualization, but it wants to do something by
> "count" and its not breaking down the connections in conn.log and
> graphing them like I had hoped for. Here is my logstash conf file.
> 
> input {
>   stdin { }
>   file {
>     path => "/opt/bro/logs/current/*.log"
>     start_position => "beginning"
>   }
> }
> 
> filter {
>   if [message] =~
> /^(\d+\.\d{6}\s+\S+\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+\S+\s+\S+\s+\S+\s+\S+\s+[^:]+::\S+\s+[^:]+::\S+\s+\S+(?:\s\S+)*$)/
> {
>     grok{
>       patterns_dir => "/opt/logstash/custom_patterns"
>       match => {
>         message => "%{291009}"
>       }
>       add_field => [ "rule_id", "291009" ]
>       add_field => [ "Device Type", "IPSIDSDevice" ]
>       add_field => [ "Object", "Process" ]
>       add_field => [ "Action", "General" ]
>       add_field => [ "Status", "Informational" ]
>     }
>   }
> 
>   #translate {
>   #  field => "evt_dstip"
>   #  destination => "malicious_IP"
>   #   dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
>   #}
>   #translate {
>   #  field => "evt_srcip"
>   #  destination => "malicious_IP"
>   #  dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
>   #}
>   #translate {
>   #  field => "md5"
>   #  destination => "maliciousMD5"
>   #  dictionary_path => '/opt/logstash/maliciousMD5.yaml'
>   #}
>   #date {
>   #  match => [ "start_time", "UNIX" ]
>   #}
> 
> }
> 
> output {
>   elasticsearch { hosts => ["localhost:9200"] }
>   stdout { codec => rubydebug }
> 
> In Kibana under the Discover tab I can see my messages from conn.log.
> How can I get this data properly graphed and broken down more like how
> the connection summary emails are broken down?
> 
> 		January 25th 2017, 15:52:57.702
> 
> 1485381116.563095 CN2Wu7l8JEjji3ht3 192.168.100.102 58128
> 192.168.100.103 161 udp snmp 0.010298 53 53 SF T T 0 Dd 1 81 1 81
> (empty)
> 
> On Wed, Jan 25, 2017 at 3:27 PM, Daniel Guerra
> <daniel.guerra69 at gmail.com> wrote:
> 
>> Hi,
>> 
>> Check my docker project.
>> 
>> https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ [1]
>> 
>> The quick way :
>> 
>> export DOCKERHOST="<ip>:8080"
>> wget
>> 
> https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/master/docker-compose.yml
>> [2]
>> docker-compose pull
>> docker-compose up
>> 
>> You can send pcap data with pcap to port 1969 “nc dockerip 1969 <
>> mypcapfile”
>> 
>> After this open your browser to dockerip:5601 for kibana, its
>> preconfigured with some
>> queries and desktops.
>> 
>> On 25 Jan 2017, at 14:48, project722 <project722 at gmail.com> wrote:
>> 
>> Thanks All. I am looking into ELK.
>> 
>> On Tue, Jan 24, 2017 at 2:44 AM, Kevin Ross
>> <kevross33 at googlemail.com> wrote:
>> 
>> As said before ELK is your best bet. Here is a link that may
>> interest you. The learning curve may be steep but it is worth it in
>> the end (assuming you are putting this together yourself and not a
>> all in one solution that provides it for you) when you can query
>> logs as easily as a google search and visualise.
>> 
>> https://www.elastic.co/blog/bro-ids-elastic-stack [3]
>> 
>> Also you could use security oniion and it uses ELSA to present these
>> logs although my preference these days because of its easier ability
>> I find to add in new data sources would be ELK (i.e once you
>> understand logstash and parsing logs you can easily parse any log
>> you have to correlate Bro, IDS, network and even host logs).
>> 
>> https://github.com/mcholste/elsa [4]
>> http://blog.bro.org/2012/01/monster-logs.html [5]
>> 
>> On 21 January 2017 at 11:54, project722 <project722 at gmail.com>
>> wrote:
>> 
>> Got Bro 2.4.1 working on a RHEL 6 system. Can anyone provide
>> suggestions on what I should use as a web GUI for bro? What is the
>> best options out there? NOTE - my version of Bro was compiled from
>> source.
>> 

Mod this to your liking and see how it goes:

#####
input {
         file {
                 type => "connlog"
                 path => "/usr/local/bro/spool/bro/conn.log"
                 sincedb_path => "/var/lib/logstash/.sincedbconn"
         }

         file {
                 type => "ssllog"
                 path => "/usr/local/bro/spool/bro/ssl.log"
                 sincedb_path => "/var/lib/logstash/.sincedbssl"
         }
}

filter {
         #bro conn.log
         if [type] == "connlog" {
                 if [message] =~ "^#" {
                         drop { }
                 } else {
                         grok {
                                 match => [ "message", 
"(?<unixtime>(.*?))\t(?<uid>(.*?))\t(?<src_ip>(.*?))\t(?<src_port>(.*?))\t(?<dst_ip>(.*?))\t(?<dst_port>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<local_resp>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_packts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_packts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tun_parent>(.*)))" 
]
                         }
                 }
         }

         #bro ssl.log
         if [type] == "ssllog" {
                 if [message] =~ "^#" {
                         drop { }
                 } else {
                         grok {
                                 match => [ "message", 
"(?<unixtime>(.*?))\t%{DATA:uid}\t%{DATA:src_ip}\t%{DATA:src_port}\t%{DATA:dst_ip}\t%{DATA:dst_port}\t%{DATA:version}\t%{DATA:cipher}\t%{DATA:curve}\t%{DATA:hostname}\t%{DATA:resumed}\t%{DATA:last_alert}\t%{DATA:next_protocol}\t%{DATA:established}\t%{DATA:cert_chain_fuids}\t%{DATA:client_cert_chain_fuids}\t%{DATA:subject}\t%{DATA:issuer}\t%{DATA:client_subject}\t%{DATA:client_issuer}\t%{DATA:validation_status}\t%{DATA:notary.first_seen}\t%{DATA:notary.last_seen}\t%{DATA:notary.times_seen}\t%{DATA:notary.valid}" 
]
                         }
                 }
         }
                 #geoip source
                 geoip {
                         source => "src_ip"
                         target => "src_geoip"
                 }

                 #geoip destination
                 geoip {
                         source => "dst_ip"
                         target => "dst_geoip"
                 }

                 mutate {
                         convert => [ "resp_bytes", "integer" ]
                         convert => [ "resp_ip_bytes", "integer" ]
                         convert => [ "orig_bytes", "integer" ]
                         convert => [ "orig_ip_bytes", "integer" ]
                         convert => [ "src_port", "integer" ]
                         convert => [ "dst_port", "integer" ]
                         gsub => [
                                 "src_geoip.country_name", "[ ]", "_",
                                 "dst_geoip.country_name", "[ ]", "_",
                                 "proto", "tcp", "TCP",
                                 "proto", "udp", "UDP",
                                 "proto", "icmp", "ICMP"
                         ]
                 }
}

output {
         #uncomment below for testing
         #stdout { codec => rubydebug }
         elasticsearch { }
}
####

James


More information about the Bro mailing list