Let me preface this with "I have no idea what I'm doing".
I want to test out Bro's native elasticsearch writer...I found that there
appear to be two files for this module:
bro/base/frameworks/logging/writers/elasticsearch.bro
bro/policy/tuning/logs-to-elasticsearch.bro
Both of them specify that the module is called "LogElasticSearch"...Is that
a problem? At any rate...
I want to specify an ElasticSearch server that is not local. I didn't see
any documentation on this, but saw that elasticsearch.bro has variables
like "server_host". Seems like this would be the thing to change...So, I
tried:
@load tuning/logs-to-elasticsearch
redef LogElasticSearch::server_host = "10.10.10.10"
It appears that broctl does not like this invocation. Specifically it
chokes and says:
error in
/usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, line
6: syntax error, at or near "module"
Which is weird...If I put additional redef's:
@load tuning/logs-to-elasticsearch
redef LogElasticSearch::server_host = "10.9.12.26"
redef LogElasticSearch::server_port= 9200
I then get:
error in /usr/local/bro/share/bro/site/local.bro, line 113: syntax
error, at or near "redef"
(line 113 is the last redef of server_port).
So...What am I doing wrong and how do I configure this plugin to point to
another host? Is that book on brogramming out yet? :P
Cheers,
Jesse
--
Jesse Bowling
While working through the file-extraction demo posted by @hectaman (http://www.youtube.com/watch?v=-7p3yLHxug4), I noticed my http-item_* files would go missing whenever I stopped the bro processes. It looks like files are properly written to bro/spool/bro, but not rotated or archived.
I'm digging through the scripts in bro/share/broctl/scripts and trying to identify the process for log rotation, but figured someone may have already solved this if they've seen similar behavior.
Thanks,
Carl
This e-mail and any attachments are confidential, may contain legal,
professional or other privileged information, and are intended solely for the
addressee. If you are not the intended recipient, do not use the information
in this e-mail in any way, delete this e-mail and notify the sender. -EXCIP
In case anyone is interested in playing with this *very* early, a couple of days ago I wrote a wrapper for the input framework to execute command line programs and get the result back into Bro in a non-blocking manner. It makes stdout, stderr, and the exit code available once your command is done executing.
The script:
https://github.com/sethhall/bro-junk-drawer/blob/master/exec.bro
An example use of the script:
https://github.com/sethhall/bro-junk-drawer/blob/master/exec-test.bro
I'd appreciate feedback if anyone tries it, thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Similar to how Bro implements the detect-MHR script, I'd like to do a
lookup against a REST API for hashes on executables...I can do it easily
enough in python but...How can I do it in Bro?
I copied the detect-MHR as a template, but immedietly ran into the
questions of "how do I make an http request with Bro?" and "Will that
request now end up in my http.logs?" and "Does Bro have native abilities to
deal with JSON objects in a reasonable way?" and "What happens if I'm
getting two lines in my response: a csv style line and a JSON "object"?"...
Obviously I have a lot to learn, and would appreciate any resourses I could
be point to for doing so... :)
Cheers,
Jesse
--
Jesse Bowling
I just finished encapsulating portions of the APT1 data into a fairly naive (but workable) Bro script module. I'd appreciate any feedback for people that try it!
https://github.com/sethhall/bro-apt1
Not bad for an hour of effort. :P
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Attempting to build a port on OpenBSD 5.2 amd64 and have gotten to a
specific build error.
Was wondering if anyone might have insight into how to resolve/correct
the issue?
FWIW, although the install docs mention a requirement for BIND8, it
appears that the configure script accepts libbind 6.0 as equivalent.
log is attached. any help would be appreciated.
Thank you.
--
-- Geoff
Hi,
So quite a few infosec folks are looking at Mandiant's APT1 report, myself
included...When I saw that they included some information on SSL certs in
use I thought "Oh, I'll bet I can check my Bro logs for that!".
Unfortunately, I don't see a way to correlate the info from these reports
with my Bro logs (which is pretty vanilla).
So I suppose my question(s) is/are:
*Has anyone else seen a reliable way to correlate the report data with Bro
logs?
*How might I change my Bro logs so that if I were given this info in the
future I could reliably correlate it?
I'm fairly ignorant about how much of an X509 cert one can see on the wire;
serial number seemed promising but is only "required" to be unique per CA,
Signature Algorithm seems promising, as does Public Key Modulus...
Any suggestions/thoughts from the group?
Cheers,
Jesse
http://intelreport.mandiant.com/http://intelreport.mandiant.com/Mandiant_APT1_Report.pdfhttp://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
--
Jesse Bowling
