[Bro] Web GUI for Bro?
Craig Pluchinsky
craigp at iup.edu
Thu Jan 26 04:40:15 PST 2017
I started to use the csv filter instead of grok. Just change the
delimiter to a literal tab. Also make sure to not use "." in the column
names. I just copied the bro field names.
if [type] == "bro_conn" {
csv {
columns => [
"ts","uid","orig_h","orig_p","resp_h","resp_p","proto","service","duration","orig_bytes","resp_bytes","conn_state","local_orig","local_resp","missed_bytes","history","orig_pkts","orig_ip_bytes","resp_pkts","resp_ip_bytes","tunnel_parents","peer_descr","orig_cc","resp_cc"
]
separator => " "
}
}
-------------------------------
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327
On Wed, 25 Jan 2017, James Lay wrote:
> On 2017-01-25 14:55, project722 wrote:
>> This ELK/Bro combo is turning out to be more of a learning curve than
>> I has hoped for. I can get the logs over to elasticsearch and into
>> Kibana, but I can only see them on the "Discovery" tab. I save the
>> search to use with a visualization, but it wants to do something by
>> "count" and its not breaking down the connections in conn.log and
>> graphing them like I had hoped for. Here is my logstash conf file.
>>
>> input {
>> stdin { }
>> file {
>> path => "/opt/bro/logs/current/*.log"
>> start_position => "beginning"
>> }
>> }
>>
>> filter {
>> if [message] =~
>> /^(\d+\.\d{6}\s+\S+\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+(?:[\d\.]+|[\w:]+|-)\s+(?:\d+|-)\s+\S+\s+\S+\s+\S+\s+\S+\s+[^:]+::\S+\s+[^:]+::\S+\s+\S+(?:\s\S+)*$)/
>> {
>> grok{
>> patterns_dir => "/opt/logstash/custom_patterns"
>> match => {
>> message => "%{291009}"
>> }
>> add_field => [ "rule_id", "291009" ]
>> add_field => [ "Device Type", "IPSIDSDevice" ]
>> add_field => [ "Object", "Process" ]
>> add_field => [ "Action", "General" ]
>> add_field => [ "Status", "Informational" ]
>> }
>> }
>>
>> #translate {
>> # field => "evt_dstip"
>> # destination => "malicious_IP"
>> # dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
>> #}
>> #translate {
>> # field => "evt_srcip"
>> # destination => "malicious_IP"
>> # dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
>> #}
>> #translate {
>> # field => "md5"
>> # destination => "maliciousMD5"
>> # dictionary_path => '/opt/logstash/maliciousMD5.yaml'
>> #}
>> #date {
>> # match => [ "start_time", "UNIX" ]
>> #}
>>
>> }
>>
>> output {
>> elasticsearch { hosts => ["localhost:9200"] }
>> stdout { codec => rubydebug }
>>
>> In Kibana under the Discover tab I can see my messages from conn.log.
>> How can I get this data properly graphed and broken down more like how
>> the connection summary emails are broken down?
>>
>> January 25th 2017, 15:52:57.702
>>
>> 1485381116.563095 CN2Wu7l8JEjji3ht3 192.168.100.102 58128
>> 192.168.100.103 161 udp snmp 0.010298 53 53 SF T T 0 Dd 1 81 1 81
>> (empty)
>>
>> On Wed, Jan 25, 2017 at 3:27 PM, Daniel Guerra
>> <daniel.guerra69 at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Check my docker project.
>>>
>>> https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ [1]
>>>
>>> The quick way :
>>>
>>> export DOCKERHOST="<ip>:8080"
>>> wget
>>>
>> https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/master/docker-compose.yml
>>> [2]
>>> docker-compose pull
>>> docker-compose up
>>>
>>> You can send pcap data with pcap to port 1969 “nc dockerip 1969 <
>>> mypcapfile”
>>>
>>> After this open your browser to dockerip:5601 for kibana, its
>>> preconfigured with some
>>> queries and desktops.
>>>
>>> On 25 Jan 2017, at 14:48, project722 <project722 at gmail.com> wrote:
>>>
>>> Thanks All. I am looking into ELK.
>>>
>>> On Tue, Jan 24, 2017 at 2:44 AM, Kevin Ross
>>> <kevross33 at googlemail.com> wrote:
>>>
>>> As said before ELK is your best bet. Here is a link that may
>>> interest you. The learning curve may be steep but it is worth it in
>>> the end (assuming you are putting this together yourself and not a
>>> all in one solution that provides it for you) when you can query
>>> logs as easily as a google search and visualise.
>>>
>>> https://www.elastic.co/blog/bro-ids-elastic-stack [3]
>>>
>>> Also you could use security oniion and it uses ELSA to present these
>>> logs although my preference these days because of its easier ability
>>> I find to add in new data sources would be ELK (i.e once you
>>> understand logstash and parsing logs you can easily parse any log
>>> you have to correlate Bro, IDS, network and even host logs).
>>>
>>> https://github.com/mcholste/elsa [4]
>>> http://blog.bro.org/2012/01/monster-logs.html [5]
>>>
>>> On 21 January 2017 at 11:54, project722 <project722 at gmail.com>
>>> wrote:
>>>
>>> Got Bro 2.4.1 working on a RHEL 6 system. Can anyone provide
>>> suggestions on what I should use as a web GUI for bro? What is the
>>> best options out there? NOTE - my version of Bro was compiled from
>>> source.
>>>
>
> Mod this to your liking and see how it goes:
>
> #####
> input {
> file {
> type => "connlog"
> path => "/usr/local/bro/spool/bro/conn.log"
> sincedb_path => "/var/lib/logstash/.sincedbconn"
> }
>
> file {
> type => "ssllog"
> path => "/usr/local/bro/spool/bro/ssl.log"
> sincedb_path => "/var/lib/logstash/.sincedbssl"
> }
> }
>
> filter {
> #bro conn.log
> if [type] == "connlog" {
> if [message] =~ "^#" {
> drop { }
> } else {
> grok {
> match => [ "message",
> "(?<unixtime>(.*?))\t(?<uid>(.*?))\t(?<src_ip>(.*?))\t(?<src_port>(.*?))\t(?<dst_ip>(.*?))\t(?<dst_port>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<local_resp>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_packts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_packts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tun_parent>(.*)))"
> ]
> }
> }
> }
>
> #bro ssl.log
> if [type] == "ssllog" {
> if [message] =~ "^#" {
> drop { }
> } else {
> grok {
> match => [ "message",
> "(?<unixtime>(.*?))\t%{DATA:uid}\t%{DATA:src_ip}\t%{DATA:src_port}\t%{DATA:dst_ip}\t%{DATA:dst_port}\t%{DATA:version}\t%{DATA:cipher}\t%{DATA:curve}\t%{DATA:hostname}\t%{DATA:resumed}\t%{DATA:last_alert}\t%{DATA:next_protocol}\t%{DATA:established}\t%{DATA:cert_chain_fuids}\t%{DATA:client_cert_chain_fuids}\t%{DATA:subject}\t%{DATA:issuer}\t%{DATA:client_subject}\t%{DATA:client_issuer}\t%{DATA:validation_status}\t%{DATA:notary.first_seen}\t%{DATA:notary.last_seen}\t%{DATA:notary.times_seen}\t%{DATA:notary.valid}"
> ]
> }
> }
> }
> #geoip source
> geoip {
> source => "src_ip"
> target => "src_geoip"
> }
>
> #geoip destination
> geoip {
> source => "dst_ip"
> target => "dst_geoip"
> }
>
> mutate {
> convert => [ "resp_bytes", "integer" ]
> convert => [ "resp_ip_bytes", "integer" ]
> convert => [ "orig_bytes", "integer" ]
> convert => [ "orig_ip_bytes", "integer" ]
> convert => [ "src_port", "integer" ]
> convert => [ "dst_port", "integer" ]
> gsub => [
> "src_geoip.country_name", "[ ]", "_",
> "dst_geoip.country_name", "[ ]", "_",
> "proto", "tcp", "TCP",
> "proto", "udp", "UDP",
> "proto", "icmp", "ICMP"
> ]
> }
> }
>
> output {
> #uncomment below for testing
> #stdout { codec => rubydebug }
> elasticsearch { }
> }
> ####
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list