├── .DS_Store ├── Dockerfile ├── Readme.md ├── bro-extra ├── Dockerfile-devel ├── __load__.bro ├── app-stats-list.bro ├── app-stats.bro ├── bro-extra.bro ├── broker-connector.bro ├── broker-consumer.bro ├── broker-listener.bro ├── conn_pcap.bro ├── conn_pcap_template.bro ├── conn_state.bro ├── contents.bro ├── cookie-log.bro ├── custom.bro ├── extract_files.bro ├── extract_files_template.bro ├── geoip.bro ├── intel.bro ├── locationextract.bro ├── logs-to-elasticsearch.bro ├── mac-logging.bro ├── packets-broker.bro ├── tcprs.bro └── tordetect.bro ├── bro-patch └── ElasticSearch.cc.patch ├── docker-compose.yml ├── docker-compose ├── alpine-elasticsearch │ └── docker-compose.yml ├── bro-desktop │ ├── Readme.md │ └── docker-compose.yml ├── bro-proxy-dump │ ├── commands │ └── docker-compose.yml └── debian-elasticsearch │ └── docker-compose.yml ├── php └── index.php ├── role ├── amqp-amqp ├── broctl ├── cmd-bare ├── cmd-elasticsearch ├── cmd-forensic ├── dump-elasticsearch ├── sshd ├── stdin-amqp ├── stdin-elasticsearch ├── stdin-forensic ├── xinetd-amqp ├── xinetd-elasticsearch ├── xinetd-forensic ├── xinetd-forensic-crc └── xinetd-splunk ├── scripts ├── bro-amqp.sh ├── bro-forensic-crc.sh ├── bro-forensic.sh ├── bro-mapping.sh ├── bro-splunk.sh ├── clean-elastic.sh ├── commands ├── elastic-indices.sh ├── kibana-config.sh ├── kibana-dashbords.json ├── kibana-querys.json ├── kibana-visualisations.json ├── kibana.json ├── packets-consumer.py ├── remove-mapping.sh ├── start-elastic.sh ├── update-intel.sh └── update_tor_serverlist.py ├── supervisord.conf └── xinetd ├── bro ├── bro-amqp ├── bro-forensic ├── bro-forensic-crc └── bro-splunk /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/b31984020b382c7ae1360d0f877422523b9b539e/.DS_Store -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM danielguerra/debian-bro-develop 2 | 3 | MAINTAINER danielguerra, https://github.com/danielguerra 4 | 5 | # add patches for bro to work with elasticsearch 2.0 (remove . set correct time) 6 | ADD /bro-patch /bro-patch 7 | 8 | # build bro + tools 9 | RUN buildDeps='build-essential \ 10 | autoconf \ 11 | install-info \ 12 | libgoogle-perftools-dev \ 13 | libcurl3-dev \ 14 | libgeoip-dev \ 15 | libpcap-dev \ 16 | libssl-dev \ 17 | python-dev \ 18 | zlib1g-dev \ 19 | libedit-dev \ 20 | doxygen \ 21 | git-core \ 22 | cmake \ 23 | make \ 24 | g++ \ 25 | gcc \ 26 | libpcre3-dev \ 27 | python-setuptools \ 28 | libsnappy-dev \ 29 | libbz2-dev \ 30 | devscripts \ 31 | libjemalloc-dev \ 32 | libjemalloc1-dbg ' \ 33 | && set -x \ 34 | && cd /tmp \ 35 | && git clone --recursive git://git.bro.org/bro \ 36 | && patch /tmp/bro/aux/plugins/elasticsearch/src/ElasticSearch.cc /bro-patch/ElasticSearch.cc.patch \ 37 | && cd /tmp/bro \ 38 | && ./configure --enable-broker\ 39 | && make \ 40 | && make install \ 41 | && sed -i "s/127.0.0.1/elasticsearch/g" /tmp/bro/aux/plugins/elasticsearch/scripts/init.bro \ 42 | && sed -i "s/2secs/60secs/g" /tmp/bro/aux/plugins/elasticsearch/scripts/init.bro \ 43 | && sed -i "s/const max_batch_size = 1000/const max_batch_size = 500/g" /tmp/bro/aux/plugins/elasticsearch/scripts/init.bro \ 44 | && cd /tmp/bro/aux/plugins/elasticsearch \ 45 | && ./configure \ 46 | && make \ 47 | && make install \ 48 | ## has been removed from the bro repo 49 | #&& cd /tmp/bro/aux/plugins/tcprs \ 50 | #&& ./configure \ 51 | #&& make \ 52 | #&& make install \ 53 | && cd /tmp \ 54 | && git clone --recursive https://github.com/jonschipp/mal-dnssearch.git \ 55 | && cd /tmp/mal-dnssearch \ 56 | && make \ 57 | && apt-get remove -y $buildDeps \ 58 | && apt-get clean \ 59 | && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 60 | 61 | # add maintance shell scripts 62 | ADD /scripts /scripts 63 | 64 | #add extra bro files 65 | ADD /bro-extra /usr/local/bro/share/bro/bro-extra 66 | RUN echo "@load bro-extra" >> /usr/local/bro/share/bro/base/init-default.bro 67 | 68 | 69 | # add bro service 70 | RUN echo "bro 1969/tcp # bro pcap feed" >> /etc/services 71 | 72 | #fresh intel 73 | RUN /scripts/update-intel.sh 74 | #set the expose ports 75 | EXPOSE 22 76 | EXPOSE 1969 77 | EXPOSE 47761 78 | EXPOSE 47762 79 | 80 | #set default dir 81 | WORKDIR /tmp 82 | 83 | #Add geolitecityv6 84 | RUN wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz 85 | RUN gunzip GeoLiteCityv6.dat.gz 86 | RUN mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat 87 | RUN ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat 88 | 89 | # Do some elasticsearch tweaks (couldnt solve it with mapping :`( ) 90 | # elastic is not happy about version, type change count/string 91 | RUN sed -i "s/version: count \&log/socks_version: count \&log/g" /usr/local/bro/share/bro/base/protocols/socks/main.bro 92 | RUN sed -i "s/\$version=/\$socks_version=/g" /usr/local/bro/share/bro/base/protocols/socks/main.bro 93 | RUN sed -i "s/version: string \&log/ssl_version: string \&log/g" /usr/local/bro/share/bro/base/protocols/ssl/main.bro 94 | RUN sed -i "s/\$version=/\$ssl_version=/g" /usr/local/bro/share/bro/base/protocols/ssl/main.bro 95 | RUN sed -i "s/version: count \&log/ssh_version: count \&log/g" /usr/local/bro/share/bro/base/protocols/ssh/main.bro 96 | RUN sed -i "s/\$version =/\$ssh_version =/g" /usr/local/bro/share/bro/base/protocols/ssh/main.bro 97 | RUN sed -i "s/version: string \&log/snmp_version: string \&log/g" /usr/local/bro/share/bro/base/protocols/snmp/main.bro 98 | RUN sed -i "s/\$version=/\$snmp_version=/g" /usr/local/bro/share/bro/base/protocols/snmp/main.bro 99 | 100 | 101 | # bro pcap-in tcp services 102 | ADD /xinetd /xinetd 103 | 104 | # add role scripts 105 | ADD /role /role 106 | 107 | # add php scripts 108 | ADD /php/index.php /var/www/html/index.php 109 | 110 | # add supervisor config 111 | ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf 112 | 113 | #create output dirs 114 | RUN mkdir /bro /bro/pcap /var/www/html/extract_files 115 | 116 | CMD ["/role/cmd-bare"] 117 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | ##### BRO ELK AMQP docker integration 2 | 3 | | Bro IDS | Elasticsearch + Kibana | RabbitMQ | 4 | | :--- | :--- | :--- | 5 | | ![Bro IDS](https://www.bro.org/images/bro-eyes.png) | ![Elasticsearch](https://www.runabove.com/images/apps/elasticsearch-and-kibana.png) | ![RabbitMQ](https://www.rabbitmq.com/img/rabbitmq_logo_strap.png) | 6 | | 2.5 | 2.4 + 4.6 | 3.5.7 | 7 | 8 | ### About 9 | 10 | Integrates Bro IDS git 2.5 with Elasticsearch 2.4 & Kibana 4.6. 11 | Bro was compiled with broker,rocksdb and pybroker (full featured). 12 | Bro can write directly into Elasticsearch without logstash. 13 | The bro scripts have been modified in order to satisfy elasticsearch. 14 | The example below uses 3 elasticsearch nodes. The container bro-xinetd 15 | writes to the master. Kibana reads from node02. The commandline bro uses 16 | node01. 17 | Added amqp (rabbitmq) consume/publish roles with the debian amqp-tools. 18 | 19 | ### Docker-compose 20 | 21 | The simplest way to start all nodes is using docker-compose 22 | The DOCKERHOST is the ip and port the user sees in kibana ! 23 | The port from the compose file is 8080. 24 | ```bash 25 | export DOCKERHOST=":8080" 26 | wget https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/master/docker-compose.yml 27 | docker-compose pull 28 | docker-compose up 29 | ``` 30 | This compose file starts a role/xinetd-forensic which currently supports pcap and extracted file access from kibana. 31 | It listens to port 1969 for pcap files. 32 | ```bash 33 | nc 1969 < my.pcap 34 | tcpdump -i eth0 -s 0 -w - not host | nc 1969 35 | ``` 36 | Kibana is viewed in your browser. 37 | http://:5601/ 38 | 39 | The pcap and extracted data can be reached over tcp port 8080 40 | 41 | [Screenshot !](https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/master/bro-kibana.gif) 42 | 43 | 44 | ### Developers 45 | 46 | Full version with all tools and sources to build this project. 47 | Sources are in /tmp. 48 | ```bash 49 | docker pull danielguerra/bro-debian-elasticsearch:develop 50 | ``` 51 | 52 | #### Installation 53 | 54 | Before you begin I recommend to start with pulling fresh images. 55 | ```bash 56 | docker pull danielguerra/bro-debian-elasticsearch 57 | docker pull elasticsearch (or latest) 58 | docker pull kibana (or latest) 59 | docker pull rabbitmq:3.5.6-management 60 | ``` 61 | ### elastic data 62 | 63 | Create empty elasticsearch data volumes 64 | optional,if not remove --volumes-from ... 65 | ```bash 66 | docker create -v /usr/share/elasticsearch/data --name elastic-data-master danielguerra/empty-elastic-data /bin/true 67 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node01 danielguerra/empty-elastic-data /bin/true 68 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node02 danielguerra/empty-elastic-data /bin/true 69 | ``` 70 | 71 | ### elasticsearch 72 | 73 | Run three elasticsearch nodes (minimal) 74 | ```bash 75 | docker run -d --volumes-from elastic-data-master --hostname=elasticsearch-master --name elasticsearch-master elasticsearch -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 76 | docker run -d --volumes-from elastic-data-node01 --hostname=elasticsearch-node01 --name elasticsearch-node01 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 77 | docker run -d --volumes-from elastic-data-node02 --hostname=elasticsearch-node02 --name elasticsearch-node02 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 78 | ``` 79 | 80 | ### elasticsearch mapping (important) 81 | 82 | After you have a running elasticsearch-cluster you should start a commandline bro and do 83 | ```bash 84 | docker run --link elasticsearch-master:elasticsearch --rm danielguerra/bro-debian-elasticsearch /scripts/bro-mapping.sh 85 | ``` 86 | 87 | ### kibana 88 | 89 | Configure kibana 90 | ```bash 91 | docker run --rm --link elasticsearch-master:elasticsearch danielguerra/bro-kibana-config 92 | ``` 93 | 94 | Start kibana 95 | ```bash 96 | docker run -d -p 5601:5601 --link=elasticsearch-node02:elasticsearch --hostname=kibana --name kibana kibana 97 | ``` 98 | Point your browser http://:5601 99 | 100 | ### bro on the commandline 101 | 102 | commandline and local file log 103 | ```bash 104 | docker run -ti -v /Users/PCAP:/pcap --name bro-log danielguerra/bro-debian-elasticsearch 105 | ``` 106 | 107 | commandline and log to elasticsearch 108 | ```bash 109 | docker run -ti --link elasticsearch-node01:elasticsearch -v /Users/PCAP:/pcap --name bro danielguerra/bro-debian-elasticsearch /role/cmd-elasticsearch 110 | ``` 111 | readfiles from bro commandline 112 | 113 | ```bash 114 | bro -r /pcap/mydump.pcap 115 | ``` 116 | 117 | bro develop version (all sources are in /tmp) 118 | ``` 119 | docker run -ti --link elasticsearch-node01:elasticsearch -v /Users/PCAP:/pcap --name bro danielguerra/bro-debian-elasticsearch:develop /role/cmd-elasticsearch 120 | ``` 121 | 122 | ### bro xinetd service 123 | when role/xinetd is used no local logs are written, all logs go to elasticsearch 124 | ```bash 125 | docker run -d -p 1969:1969 --link elasticsearch-master:elasticsearch --name bro-xinetd --hostname bro-xinetd danielguerra/bro-debian-elasticsearch /role/xinetd-elasticsearch 126 | ``` 127 | tcpdump to your container from a remote host, replace dockerhost with your ip 128 | ```bash 129 | tcpdump -i eth0 -s 0 -w /dev/stdout | nc dockerhost 1969 130 | ``` 131 | or read a file file to your container 132 | ```bash 133 | nc dockerhost 1969 < mydump.pcap 134 | ``` 135 | 136 | ### bro xinetd forensic 137 | when role/xinetd-forensic is used, pcap and extracted files are available from kibana. 138 | ```bash 139 | docker run -d -p 1969:1969 -p 8080:80 --link elasticsearch-master:elasticsearch --name bro-xinetd-forensic --hostname bro-xinetd-forensic danielguerra/bro-debian-elasticsearch /role/xinetd-forensic 140 | ``` 141 | 142 | ### bro ssh server 143 | 144 | for bro nodes or just remote key based authentication 145 | create an empty ssh volume 146 | ```bash 147 | docker create -v /root/.ssh --name ssh-container danielguerra/ssh-container /bin/true 148 | ``` 149 | create your own keys on your own machine 150 | ```bash 151 | docker run --volumes-from ssh-container debian:jessie ssh-keygen -q 152 | ``` 153 | add your pub key to authorized_keys file 154 | ```bash 155 | docker run --volumes-from ssh-container debian:jessie cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys 156 | ``` 157 | create a copy in your directory (pwd) 158 | ```bash 159 | docker run --volumes-from ssh-container -v $(pwd):/backup debian:jessie cp -R /root/.ssh/* /backup 160 | ``` 161 | start bro as ssh daemon 162 | ```bash 163 | docker run -d -p 1922:22 --link elasticsearch:elasticsearch --name bro-dev danielguerra/bro-debian-elasticsearch /role/sshd 164 | ssh -p 1922 -i id_rsa root@dockerhost 165 | ``` 166 | 167 | ### bro amqp 168 | 169 | Bro can be used with amqp in elasticsearch out or amqp output 170 | 171 | First we need an amqp, this case a rabbitmq 172 | ```bash 173 | docker run -d -p 8080:15672 --name=rabbitmq --hostname=rabbitmq rabbitmq:3.5.6-management 174 | docker inspect rabbitmq (to get the ip) 175 | ``` 176 | 177 | Now we can start a bro xinetd service which outputs to rabbitmq 178 | ```bash 179 | docker run -d -p 1970:1969 --name bro-xinetd-amqp --hostname bro-xinetd-amqp danielguerra/bro-debian-elasticsearch /role/xinetd-amqp 180 | 181 | ``` 182 | 183 | Or a bro that reads pcap files from amqp and outputs to amqp 184 | ```bash 185 | docker run -d --name=bro-amqp-amqp --hostname=bro-amqp-amqp danielguerra/bro-debian-elasticsearch /role/amqp-amqp 186 | ``` 187 | And publish a pcap file from bro-dev commandline 188 | ```bash 189 | cat | amqp-publish --url=amqp://:@ --exchange= 190 | ``` 191 | 192 | ### tcpdump containers 193 | 194 | Start a bro-xinetd, do a (replace with your container name and with the bro xinetd ip) 195 | ```bash 196 | docker run --rm --net=container: crccheck/tcpdump -i eth0 -w - | nc 1969 & 197 | docker run --rm --net=container: danielguerra/bro-debian-elasticsearch:develop /role/dump-elasticsearch 198 | 199 | ``` 200 | 201 | ### useful scripts 202 | 203 | elastic-indices.sh shows elasticsearch indices 204 | bro-mapping.sh bro mapping for kibana including geo_point mapping 205 | remove-mapping.sh remove the mapping 206 | clean-elastic.sh clean elasticsearch from bro data 207 | update-intel.sh update intel for bro 208 | -------------------------------------------------------------------------------- /bro-extra/Dockerfile-devel: -------------------------------------------------------------------------------- 1 | FROM debian:jessie 2 | # based on blacktop bro 3 | MAINTAINER danielguerra, https://github.com/danielguerra 4 | 5 | #Prevent daemon start during install 6 | RUN echo '#!/bin/sh\nexit 101' > /usr/sbin/policy-rc.d && \ 7 | chmod +x /usr/sbin/policy-rc.d 8 | 9 | # Install Bro Required Dependencies 10 | RUN \ 11 | apt-get -qq update && \ 12 | apt-get -qq upgrade && \ 13 | apt-get install -yq vim \ 14 | php5-curl \ 15 | sendmail \ 16 | bison \ 17 | flex \ 18 | gawk \ 19 | curl \ 20 | geoip-database \ 21 | geoip-database-extra \ 22 | tor-geoipdb \ 23 | wget \ 24 | openssh-server \ 25 | build-essential \ 26 | ca-certificates \ 27 | libgoogle-perftools-dev \ 28 | libcurl3-dev \ 29 | libgeoip-dev \ 30 | libpcap-dev \ 31 | libssl-dev \ 32 | python-dev \ 33 | zlib1g-dev \ 34 | libedit-dev \ 35 | doxygen \ 36 | git-core \ 37 | cmake \ 38 | make \ 39 | g++ \ 40 | gcc \ 41 | libpcre3-dev \ 42 | python-setuptools \ 43 | libsnappy-dev \ 44 | libbz2-dev \ 45 | devscripts \ 46 | install-info \ 47 | autoconf --no-install-recommends 48 | 49 | #swig latest for broker python integration 50 | WORKDIR /tmp 51 | RUN wget http://prdownloads.sourceforge.net/swig/swig-3.0.7.tar.gz 52 | RUN tar xvfz swig-3.0.7.tar.gz 53 | WORKDIR /tmp/swig-3.0.7 54 | RUN ./configure 55 | RUN make 56 | RUN make install 57 | 58 | #rocksdb gives memory 59 | WORKDIR /tmp 60 | RUN git clone --recursive https://github.com/facebook/rocksdb.git 61 | WORKDIR /tmp/rocksdb 62 | RUN export CFLAGS="$CFLAGS -fPIC" && export CXXFLAGS="$CXXFLAGS -fPIC" && make shared_lib 63 | RUN export CFLAGS="$CFLAGS -fPIC" && export CXXFLAGS="$CXXFLAGS -fPIC" && make install 64 | 65 | # ipsumdump 66 | WORKDIR /tmp 67 | RUN git clone --recursive https://github.com/kohler/ipsumdump.git 68 | WORKDIR /tmp/ipsumdump 69 | RUN ./configure 70 | RUN make 71 | RUN make install 72 | 73 | #actor framework caf to enable broker 74 | WORKDIR /tmp 75 | RUN git clone --recursive --branch 0.14.2 https://github.com/actor-framework/actor-framework.git 76 | WORKDIR /tmp/actor-framework 77 | RUN ./configure --no-examples --no-benchmarks --no-opencl 78 | RUN make 79 | RUN make install 80 | 81 | # bro 82 | WORKDIR /tmp 83 | RUN git clone --recursive git://git.bro.org/bro 84 | WORKDIR /tmp/bro 85 | RUN ./configure 86 | RUN make 87 | RUN make install 88 | 89 | # ELK integration 90 | 91 | # Do some kibana changes for timestamp 92 | ADD ElasticSearch.cc.patch /tmp/ElasticSearch.cc.patch 93 | RUN patch /tmp/bro/aux/plugins/elasticsearch/src/ElasticSearch.cc /tmp/ElasticSearch.cc.patch 94 | #set host to virtual host elasticsearch 95 | RUN sed -i "s/127.0.0.1/elasticsearch/g" /tmp/bro/aux/plugins/elasticsearch/scripts/init.bro 96 | # give more time to write 97 | RUN sed -i "s/2secs/60secs/g" /tmp/bro/aux/plugins/elasticsearch/scripts/init.bro 98 | # smaller batches for bro file read eg 1 having flush problems 99 | RUN sed -i "s/const max_batch_size = 1000/const max_batch_size = 1/g" /tmp/bro/aux/plugins/elasticsearch/scripts/init.bro 100 | #install the plugin 101 | WORKDIR /tmp/bro/aux/plugins/elasticsearch 102 | RUN ./configure 103 | RUN make 104 | RUN make install 105 | 106 | # mal-dns to get intel 107 | WORKDIR /tmp 108 | RUN git clone --recursive https://github.com/jonschipp/mal-dnssearch.git 109 | WORKDIR /tmp/mal-dnssearch 110 | RUN make 111 | 112 | # for geohash example python execute 113 | WORKDIR /tmp 114 | RUN wget https://pypi.python.org/packages/source/G/Geohash/Geohash-1.0.tar.gz#md5=a7c4e57874061fae1e30dd8aa8b9b390 115 | RUN tar xvfz Geohash-1.0.tar.gz 116 | WORKDIR /tmp/Geohash-1.0 117 | RUN python setup.py build 118 | RUN python setup.py install 119 | WORKDIR /root 120 | 121 | # removed for develop purposes 122 | # clean up 123 | #RUN apt-get clean 124 | #RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 125 | 126 | #set the path 127 | ENV PATH /usr/local/bro/bin:$PATH 128 | RUN echo "export PATH=$PATH:/usr/local/bro/bin" > /root/.profile 129 | 130 | # add custom bro scripts 131 | ADD /custom /usr/local/bro/share/bro/custom 132 | RUN echo "@load custom" >> /usr/local/bro/share/bro/base/init-default.bro 133 | 134 | # add maintance shell scripts 135 | ADD updateintel.sh /bin/updateintel.sh 136 | ADD cleanelastic.sh /bin/cleanelastic.sh 137 | ADD elasticsearchMapping.sh /bin/elasticsearchMapping.sh 138 | ADD removeMapping.sh /bin/removeMapping.sh 139 | # update intel files 140 | RUN /bin/updateintel.sh 141 | 142 | #do some elasticsearch tweaks 143 | #socks version causes type conflict 144 | RUN sed -i "s/version: count \&log/socks_version: count \&log/g" /usr/local/bro/share/bro/base/protocols/socks/main.bro 145 | RUN sed -i "s/\$version=/\$socks_version=/g" /usr/local/bro/share/bro/base/protocols/socks/main.bro 146 | 147 | #ssh version conflict 148 | 149 | #set sshd config for key based authentication for root 150 | RUN mkdir -p /var/run/sshd && sed -i "s/UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config && sed -i "s/UsePAM.*/UsePAM no/g" /etc/ssh/sshd_config && sed -i "s/PermitRootLogin.*/PermitRootLogin yes/g" /etc/ssh/sshd_config && sed -i "s/#AuthorizedKeysFile/AuthorizedKeysFile/g" /etc/ssh/sshd_config 151 | 152 | #set the expose ports 153 | EXPOSE 22 154 | EXPOSE 47761 155 | EXPOSE 47762 156 | 157 | #set elasticsearch mapping 158 | CMD ["exec"."/bin/elasticsearchMapping.sh"] 159 | 160 | #start sshd 161 | CMD ["exec","/usr/sbin/sshd","-D"] 162 | -------------------------------------------------------------------------------- /bro-extra/__load__.bro: -------------------------------------------------------------------------------- 1 | @load ./bro-extra.bro 2 | -------------------------------------------------------------------------------- /bro-extra/app-stats-list.bro: -------------------------------------------------------------------------------- 1 | module AppStats; 2 | 3 | export { 4 | 5 | const appstats_list: table[string] of pattern = { 6 | ["Facebook"] = /.facebook.com$|.fbcdn.net$/, 7 | ["Gmail"] = /.gmail.com$/, 8 | ["Youtube"] = /.youtube.com$|.googlevideo.com$/, 9 | ["Google"] = /.google.com$/, 10 | ["Netflix"] = /.netflix.com$|.nflxvideo.net$/, 11 | ["Tor"] = /^www.[0-9a-zA-Z]+.(net|com)$/ 12 | } &redef; 13 | 14 | const urlappstats_list: table[string] of pattern = { 15 | ["Tor"] = /^\/tor\// 16 | } &redef; 17 | } 18 | -------------------------------------------------------------------------------- /bro-extra/app-stats.bro: -------------------------------------------------------------------------------- 1 | ##! AppStats collects information about web applications in use 2 | ##! on the network. 3 | 4 | @load base/protocols/http 5 | @load base/protocols/ssl 6 | @load base/protocols/dns 7 | @load base/frameworks/sumstats 8 | @load ./app-stats-list 9 | 10 | module AppStats; 11 | 12 | export { 13 | redef enum Log::ID += { LOG }; 14 | 15 | type Info: record { 16 | ## Timestamp when the log line was finished and written. 17 | ts: time &log; 18 | ## Time interval that the log line covers. 19 | ts_delta: interval &log; 20 | ## The name of the "app", like "facebook" or "netflix". 21 | app: string &log; 22 | ## The number of unique local hosts using the app. 23 | uniq_hosts: count &log; 24 | ## The number of hits to the app in total. 25 | hits: count &log; 26 | ## The total number of bytes received by users of the app. 27 | bytes: count &log; 28 | }; 29 | 30 | redef record Conn::Info += { 31 | ## add response hostname to connection 32 | resp_hostname: string &optional &log; 33 | }; 34 | ## The frequency of logging the stats collected by this script. 35 | const break_interval = 15mins &redef; 36 | } 37 | 38 | global add_sumstats: hook(id: conn_id, hostname: string, size: count); 39 | 40 | global add_urlsumstats: hook(id: conn_id, hostname: string, size: count); 41 | 42 | event bro_init() &priority=3 43 | { 44 | Log::create_stream(AppStats::LOG, [$columns=Info, $path="app_stats"]); 45 | 46 | local r1: SumStats::Reducer = [$stream="apps.bytes", $apply=set(SumStats::SUM)]; 47 | local r2: SumStats::Reducer = [$stream="apps.hits", $apply=set(SumStats::UNIQUE)]; 48 | SumStats::create([$name="app-metrics", 49 | $epoch=break_interval, 50 | $reducers=set(r1, r2), 51 | $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = 52 | { 53 | local l: Info; 54 | l$ts = network_time(); 55 | l$ts_delta = break_interval; 56 | l$app = key$str; 57 | l$bytes = double_to_count(floor(result["apps.bytes"]$sum)); 58 | l$hits = result["apps.hits"]$num; 59 | l$uniq_hosts = result["apps.hits"]$unique; 60 | Log::write(LOG, l); 61 | }]); 62 | } 63 | 64 | event connection_state_remove (c: connection) 65 | { 66 | #check uri if there is one 67 | if ( c?$http && c$http?$uri ) 68 | hook add_urlsumstats(c$id, c$http$uri, c$resp$size+c$orig$size); 69 | 70 | # names first try dns otherwise ssl server or http and set resp_hostname 71 | if ( c?$dns && c$dns?$query ) 72 | c$conn$resp_hostname=c$dns$query ; 73 | else if ( c?$ssl && c$ssl?$server_name ) 74 | c$conn$resp_hostname=c$ssl$server_name; 75 | else if ( c?$http && c$http?$host ) 76 | c$conn$resp_hostname=c$http$host; 77 | else 78 | return; 79 | # check if there is a name 80 | hook add_sumstats(c$id, c$conn$resp_hostname, c$resp$size+c$orig$size); 81 | } 82 | 83 | hook add_sumstats(id: conn_id, hostname: string, size: count) 84 | { 85 | for ( i in appstats_list ) 86 | { 87 | if ( appstats_list[i] in hostname && size > 20 ) 88 | { 89 | SumStats::observe("apps.bytes", [$str=cat(i)], [$num=size]); 90 | SumStats::observe("apps.hits", [$str=cat(i)], [$str=cat(id$resp_h)]); 91 | } 92 | } 93 | } 94 | 95 | hook add_urlsumstats(id: conn_id, uri: string, size: count) 96 | { 97 | for ( i in urlappstats_list ) 98 | { 99 | if ( urlappstats_list[i] in uri && size > 20 ) 100 | { 101 | SumStats::observe("apps.bytes", [$str=cat(i)], [$num=size]); 102 | SumStats::observe("apps.hits", [$str=cat(i)], [$str=cat(id$resp_h)]); 103 | } 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /bro-extra/bro-extra.bro: -------------------------------------------------------------------------------- 1 | # This script loads tcprs reordering 2 | #@load ./tcprs 3 | 4 | # This script add lat long to ip numbers in orig_loc and dest_loc 5 | @load ./geoip 6 | 7 | # This script extracts cookies from http data 8 | @load ./cookie-log 9 | 10 | # This script loads the signature framework 11 | @load base/frameworks/signatures/main 12 | 13 | # probebly dont need this 14 | @load base/frameworks/notice/actions/add-geodata 15 | 16 | # This script adds various sources of intel with mal-dns see update-intel.sh 17 | @load ./intel 18 | 19 | # This script detects tor traffic 20 | @load ./tordetect 21 | 22 | # This script extracts certificates 23 | @load policy/protocols/ssl/extract-certs-pem 24 | 25 | # This script extracts locations from http uri's 26 | @load ./locationextract 27 | 28 | # This script logs which scripts were loaded during each run. 29 | @load misc/loaded-scripts 30 | 31 | # Apply the default tuning scripts for common tuning settings. 32 | @load tuning/defaults 33 | 34 | # Load the scan detection script. 35 | @load misc/scan 36 | 37 | # Log some information about web applications being used by users 38 | # on your network. 39 | @load ./app-stats 40 | 41 | # Detect traceroute being run on the network. 42 | @load misc/detect-traceroute 43 | 44 | # Generate notices when vulnerable versions of software are discovered. 45 | # The default is to only monitor software found in the address space defined 46 | # as "local". Refer to the software framework's documentation for more 47 | # information. 48 | @load policy/frameworks/software/vulnerable 49 | 50 | # Detect software changing (e.g. attacker installing hacked SSHD). 51 | @load policy/frameworks/software/version-changes 52 | 53 | # Load all of the scripts that detect software in various protocols. 54 | @load policy/protocols/ftp/software 55 | @load policy/protocols/smtp/software 56 | @load policy/protocols/ssh/software 57 | @load policy/protocols/http/software 58 | # The detect-webapps script could possibly cause performance trouble when 59 | # running on live traffic. Enable it cautiously. 60 | #@load protocols/http/detect-webapps 61 | 62 | # This script detects DNS results pointing toward your Site::local_nets 63 | # where the name is not part of your local DNS zone and is being hosted 64 | # externally. Requires that the Site::local_zones variable is defined. 65 | @load policy/protocols/dns/detect-external-names 66 | 67 | # Script to detect various activity in FTP sessions. 68 | @load policy/protocols/ftp/detect 69 | 70 | # Scripts that do asset tracking. 71 | @load policy/protocols/conn/known-hosts 72 | @load policy/protocols/conn/known-services 73 | @load policy/protocols/ssl/known-certs 74 | 75 | # This script enables SSL/TLS certificate validation. 76 | @load policy/protocols/ssl/validate-certs 77 | 78 | # This script prevents the logging of SSL CA certificates in x509.log 79 | @load policy/protocols/ssl/log-hostcerts-only 80 | 81 | # Uncomment the following line to check each SSL certificate hash against the ICSI 82 | # certificate notary service; see http://notary.icsi.berkeley.edu . 83 | @load policy/protocols/ssl/notary 84 | 85 | # Detect hosts doing SSH bruteforce attacks. 86 | @load policy/protocols/ssh/detect-bruteforcing 87 | # Detect logins using "interesting" hostnames. 88 | @load policy/protocols/ssh/interesting-hostnames 89 | 90 | # Detect SQL injection attacks. 91 | @load policy/protocols/http/detect-sqli 92 | 93 | #### Network File Handling #### 94 | 95 | # Enable MD5 and SHA1 hashing for all files. 96 | @load policy/frameworks/files/hash-all-files 97 | 98 | # Detect SHA1 sums in Team Cymru's Malware Hash Registry. 99 | @load policy/frameworks/files/detect-MHR 100 | 101 | # Uncomment the following line to enable detection of the heartbleed attack. Enabling 102 | # this might impact performance a bit. 103 | @load policy/protocols/ssl/heartbleed 104 | 105 | #add mac addresses to conn log 106 | @load ./mac-logging 107 | -------------------------------------------------------------------------------- /bro-extra/broker-connector.bro: -------------------------------------------------------------------------------- 1 | const broker_port: port = 9999/tcp &redef; 2 | redef exit_only_after_terminate = T; 3 | redef BrokerComm::endpoint_name = "connector"; 4 | 5 | event bro_init() 6 | { 7 | BrokerComm::enable(); 8 | BrokerComm::connect("127.0.0.1", broker_port, 1sec); 9 | } 10 | 11 | event BrokerComm::outgoing_connection_established(peer_address: string, 12 | peer_port: port, 13 | peer_name: string) 14 | { 15 | print "BrokerComm::outgoing_connection_established", 16 | peer_address, peer_port, peer_name; 17 | terminate(); 18 | } 19 | -------------------------------------------------------------------------------- /bro-extra/broker-consumer.bro: -------------------------------------------------------------------------------- 1 | const broker_port: port = 9999/tcp &redef; 2 | redef exit_only_after_terminate = T; 3 | redef BrokerComm::endpoint_name = "listener"; 4 | global msg_count = 0; 5 | 6 | event bro_init() 7 | { 8 | BrokerComm::enable(); 9 | BrokerComm::subscribe_to_prints("bro/print/"); 10 | BrokerComm::listen(broker_port, "127.0.0.1"); 11 | } 12 | 13 | event BrokerComm::incoming_connection_established(peer_name: string) 14 | { 15 | print "BrokerComm::incoming_connection_established", peer_name; 16 | } 17 | 18 | event BrokerComm::print_handler(msg: string) 19 | { 20 | ++msg_count; 21 | print "got print message", msg; 22 | 23 | if ( msg_count == 3 ) 24 | terminate(); 25 | } 26 | -------------------------------------------------------------------------------- /bro-extra/broker-listener.bro: -------------------------------------------------------------------------------- 1 | const broker_port: port = 9999/tcp &redef; 2 | redef exit_only_after_terminate = T; 3 | redef BrokerComm::endpoint_name = "listener"; 4 | 5 | event bro_init() 6 | { 7 | BrokerComm::enable(); 8 | BrokerComm::listen(broker_port, "127.0.0.1"); 9 | } 10 | 11 | event BrokerComm::incoming_connection_established(peer_name: string) 12 | { 13 | print "BrokerComm::incoming_connection_established", peer_name; 14 | } 15 | 16 | event BrokerComm::incoming_connection_broken(peer_name: string) 17 | { 18 | print "BrokerComm::incoming_connection_broken", peer_name; 19 | terminate(); 20 | } 21 | -------------------------------------------------------------------------------- /bro-extra/conn_pcap.bro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/b31984020b382c7ae1360d0f877422523b9b539e/bro-extra/conn_pcap.bro -------------------------------------------------------------------------------- /bro-extra/conn_pcap_template.bro: -------------------------------------------------------------------------------- 1 | 2 | module PcapConn; 3 | 4 | export { 5 | ## The default web server 6 | const webserver = "http://DOCKERHOST/index.php?pcap_file=PCAPFILE" &redef; 7 | 8 | redef record Conn::Info += { 9 | ## Local filename of extracted file. 10 | pcapuri: string &optional &log; 11 | }; 12 | 13 | } 14 | 15 | event connection_state_remove(c: connection) 16 | { 17 | local id = c$id; 18 | c$conn$pcapuri= escape_string( cat( webserver,"&proto=",get_port_transport_proto(id$orig_p),"&orig_h=",id$orig_h,"&orig_p=",port_to_count(id$orig_p),"&resp_h=",id$resp_h,"&resp_p=",port_to_count(id$resp_p))); 19 | } 20 | -------------------------------------------------------------------------------- /bro-extra/conn_state.bro: -------------------------------------------------------------------------------- 1 | @load base/protocols/conn 2 | 3 | module ConnState; 4 | 5 | export { 6 | global 7 | } 8 | event connection_established(c: connection) &priority=-5 9 | { 10 | if (c?$conn_state) { 11 | 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /bro-extra/contents.bro: -------------------------------------------------------------------------------- 1 | ##! This script can be used to extract either the originator's data or the 2 | ##! responders data or both. By default nothing is extracted, and in order 3 | ##! to actually extract data the ``c$extract_orig`` and/or the 4 | ##! ``c$extract_resp`` variable must be set to ``T``. One way to achieve this 5 | ##! would be to handle the :bro:id:`connection_established` event elsewhere 6 | ##! and set the ``extract_orig`` and ``extract_resp`` options there. 7 | ##! However, there may be trouble with the timing due to event queue delay. 8 | ##! 9 | ##! .. note:: 10 | ##! 11 | ##! This script does not work well in a cluster context unless it has a 12 | ##! remotely mounted disk to write the content files to. 13 | 14 | @load base/utils/files 15 | 16 | module Conn; 17 | 18 | export { 19 | ## The prefix given to files containing extracted connections as they 20 | ## are opened on disk. 21 | 22 | const extraction_prefix = "contents" &redef; 23 | 24 | ## If this variable is set to ``T``, then all contents of all 25 | ## connections will be extracted. 26 | const default_extract = T; 27 | 28 | const extraction_dir = "./extract_files/"; 29 | 30 | } 31 | 32 | function generate_extraction_filename2(dir: string, prefix: string, c: connection, suffix: string): string 33 | { 34 | local conn_info = fmt("%s:%d-%s:%d", 35 | c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p); 36 | 37 | if ( prefix != "" ) 38 | conn_info = fmt("%s_%s", prefix, conn_info); 39 | if ( suffix != "" ) 40 | conn_info = fmt("%s_%s", conn_info, suffix); 41 | 42 | if ( dir != "" ) 43 | conn_info = fmt("%s/%s/%s/%s", dir, c$id$orig_h, c$id$resp_h, conn_info); 44 | 45 | return conn_info; 46 | } 47 | 48 | function mkdirs(dir: string): bool { 49 | local path_split = split1(dir, /\/[^\/]*$/); 50 | local parent = path_split[1]; 51 | 52 | if ( parent == "" || |path_split| == 1 ) 53 | return mkdir(dir); 54 | else { 55 | if ( ! mkdirs(parent) ) 56 | return F; 57 | return mkdir(dir); 58 | } 59 | 60 | return T; 61 | } 62 | 63 | function path_dirname(path: string): string { 64 | #return path_split(path)[1] 65 | return split1(path, /\/[^\/]*$/)[1]; 66 | } 67 | 68 | function path_filename(path: string): string { 69 | #return path_split(path)[2] 70 | local cpath = split(path, /\//); 71 | return cpath[|cpath|]; 72 | } 73 | 74 | function path_split(path: string): string_array { 75 | local cpath = split(path, /\//); 76 | local ret_val: string_array; 77 | 78 | ret_val[2] = cpath[|cpath|]; 79 | delete cpath[|cpath|]; 80 | ret_val[1] = join_string_array("/", cpath); 81 | 82 | return ret_val; 83 | } 84 | 85 | redef record connection += { 86 | extract_orig: bool &default=default_extract; 87 | extract_resp: bool &default=default_extract; 88 | }; 89 | 90 | event connection_established(c: connection) &priority=-5 91 | { 92 | 93 | if ( c$extract_orig ) 94 | { 95 | local orig_file = fmt("%s/%s.%s", extraction_dir, c$uid, "orig.dat"); 96 | mkdir(extraction_dir); 97 | local orig_f = open(orig_file); 98 | set_contents_file(c$id, CONTENTS_ORIG, orig_f); 99 | } 100 | 101 | if ( c$extract_resp ) 102 | { 103 | local resp_file = fmt("%s/%s.%s", extraction_dir, c$uid, "resp.dat"); 104 | mkdir(extraction_dir); 105 | local resp_f = open(resp_file); 106 | set_contents_file(c$id, CONTENTS_RESP, resp_f); 107 | } 108 | } 109 | -------------------------------------------------------------------------------- /bro-extra/cookie-log.bro: -------------------------------------------------------------------------------- 1 | module Cookie; 2 | 3 | export { 4 | # The fully resolve name for this will be LocationExtract::LOG 5 | redef enum Log::ID += { LOG }; 6 | type Info: record { 7 | ts: time &log; 8 | uid: string &log; 9 | id: conn_id &log; 10 | cookie: string &log; 11 | cookie_unesc: string &log; 12 | }; 13 | } 14 | 15 | event bro_init() &priority=5 { 16 | Log::create_stream(Cookie::LOG, [$columns=Info]); 17 | } 18 | 19 | event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5 { 20 | if ( is_orig && name == "COOKIE") { 21 | local unesc_cookie = unescape_URI(value); 22 | local log_rec: Cookie::Info = [$ts=network_time(), $uid=c$uid, $id=c$id, $cookie=value, $cookie_unesc=unesc_cookie]; 23 | Log::write(Cookie::LOG, log_rec); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /bro-extra/custom.bro: -------------------------------------------------------------------------------- 1 | # This script loads tcprs reordering 2 | @load ./tcprs 3 | 4 | # This script add lat long to ip numbers in orig_loc and dest_loc 5 | @load ./geoip 6 | 7 | # This script extracts cookies from http data 8 | @load ./cookie-log 9 | 10 | # This script loads the signature framework 11 | @load base/frameworks/signatures/main 12 | 13 | # probebly dont need this 14 | @load base/frameworks/notice/actions/add-geodata 15 | 16 | # This script adds various sources of intel with mal-dns see update-intel.sh 17 | @load ./intel 18 | 19 | # This script detects tor traffic 20 | @load ./tordetect 21 | 22 | # This script extracts certificates 23 | @load policy/protocols/ssl/extract-certs-pem 24 | 25 | # This script extracts locations from http uri's 26 | @load ./locationextract 27 | 28 | # This script logs which scripts were loaded during each run. 29 | @load misc/loaded-scripts 30 | 31 | # Apply the default tuning scripts for common tuning settings. 32 | @load tuning/defaults 33 | 34 | # Load the scan detection script. 35 | @load misc/scan 36 | 37 | # Log some information about web applications being used by users 38 | # on your network. 39 | @load misc/app-stats 40 | 41 | # Detect traceroute being run on the network. 42 | @load misc/detect-traceroute 43 | 44 | # Generate notices when vulnerable versions of software are discovered. 45 | # The default is to only monitor software found in the address space defined 46 | # as "local". Refer to the software framework's documentation for more 47 | # information. 48 | @load policy/frameworks/software/vulnerable 49 | 50 | # Detect software changing (e.g. attacker installing hacked SSHD). 51 | @load policy/frameworks/software/version-changes 52 | 53 | # Load all of the scripts that detect software in various protocols. 54 | @load policy/protocols/ftp/software 55 | @load policy/protocols/smtp/software 56 | @load policy/protocols/ssh/software 57 | @load policy/protocols/http/software 58 | # The detect-webapps script could possibly cause performance trouble when 59 | # running on live traffic. Enable it cautiously. 60 | #@load protocols/http/detect-webapps 61 | 62 | # This script detects DNS results pointing toward your Site::local_nets 63 | # where the name is not part of your local DNS zone and is being hosted 64 | # externally. Requires that the Site::local_zones variable is defined. 65 | @load policy/protocols/dns/detect-external-names 66 | 67 | # Script to detect various activity in FTP sessions. 68 | @load policy/protocols/ftp/detect 69 | 70 | # Scripts that do asset tracking. 71 | @load policy/protocols/conn/known-hosts 72 | @load policy/protocols/conn/known-services 73 | @load policy/protocols/ssl/known-certs 74 | 75 | # This script enables SSL/TLS certificate validation. 76 | @load policy/protocols/ssl/validate-certs 77 | 78 | # This script prevents the logging of SSL CA certificates in x509.log 79 | @load policy/protocols/ssl/log-hostcerts-only 80 | 81 | # Uncomment the following line to check each SSL certificate hash against the ICSI 82 | # certificate notary service; see http://notary.icsi.berkeley.edu . 83 | @load policy/protocols/ssl/notary 84 | 85 | # Detect hosts doing SSH bruteforce attacks. 86 | @load policy/protocols/ssh/detect-bruteforcing 87 | # Detect logins using "interesting" hostnames. 88 | @load policy/protocols/ssh/interesting-hostnames 89 | 90 | # Detect SQL injection attacks. 91 | @load policy/protocols/http/detect-sqli 92 | 93 | #### Network File Handling #### 94 | 95 | # Enable MD5 and SHA1 hashing for all files. 96 | @load policy/frameworks/files/hash-all-files 97 | 98 | # Detect SHA1 sums in Team Cymru's Malware Hash Registry. 99 | @load policy/frameworks/files/detect-MHR 100 | 101 | # Uncomment the following line to enable detection of the heartbleed attack. Enabling 102 | # this might impact performance a bit. 103 | @load policy/protocols/ssl/heartbleed 104 | -------------------------------------------------------------------------------- /bro-extra/extract_files.bro: -------------------------------------------------------------------------------- 1 | @load base/frameworks/files 2 | @load base/utils/paths 3 | 4 | module FileExtract; 5 | 6 | export { 7 | ## The prefix where files are extracted to. 8 | const prefix = "/bro/extract_files/" &redef; 9 | 10 | ## The default max size for extracted files (they won't exceed this 11 | ## number of bytes). A value of zero means unlimited. 12 | const default_limit = 0 &redef; 13 | 14 | ## The default web server 15 | const webserver = "http://192.168.99.100:6900" &redef; 16 | 17 | redef record Files::Info += { 18 | ## Local filename of extracted file. 19 | extracted: string &optional &log; 20 | uri: string &optional &log; 21 | }; 22 | 23 | redef record Files::AnalyzerArgs += { 24 | ## The local filename to which to write an extracted file. 25 | ## This field is used in the core by the extraction plugin 26 | ## to know where to write the file to. If not specified, then 27 | ## a filename in the format "extract--" is 28 | ## automatically assigned (using the *source* and *id* 29 | ## fields of :bro:see:`fa_file`). 30 | extract_filename: string &optional; 31 | ## The maximum allowed file size in bytes of *extract_filename*. 32 | ## Once reached, a :bro:see:`file_extraction_limit` event is 33 | ## raised and the analyzer will be removed unless 34 | ## :bro:see:`FileExtract::set_limit` is called to increase the 35 | ## limit. A value of zero means "no limit". 36 | extract_limit: count &default=default_limit; 37 | }; 38 | 39 | ## Sets the maximum allowed extracted file size. 40 | ## 41 | ## f: A file that's being extracted. 42 | ## 43 | ## args: Arguments that identify a file extraction analyzer. 44 | ## 45 | ## n: Allowed number of bytes to be extracted. 46 | ## 47 | ## Returns: false if a file extraction analyzer wasn't active for 48 | ## the file, else true. 49 | global set_limit: function(f: fa_file, args: Files::AnalyzerArgs, n: count): bool; 50 | } 51 | 52 | function set_limit(f: fa_file, args: Files::AnalyzerArgs, n: count): bool 53 | { 54 | return __set_limit(f$id, args, n); 55 | } 56 | 57 | function on_add(f: fa_file, args: Files::AnalyzerArgs) 58 | { 59 | if ( ! args?$extract_filename ) 60 | args$extract_filename = cat("extract-", f$last_active, "-", f$source, 61 | "-", f$id); 62 | f$info$extracted = args$extract_filename; 63 | f$info$uri = cat(webserver,"/extract_files/",args$extract_filename); 64 | args$extract_filename = build_path_compressed(prefix, args$extract_filename); 65 | mkdir(prefix); 66 | } 67 | 68 | event bro_init() &priority=10 69 | { 70 | Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add); 71 | } 72 | -------------------------------------------------------------------------------- /bro-extra/extract_files_template.bro: -------------------------------------------------------------------------------- 1 | @load base/frameworks/files 2 | @load base/utils/paths 3 | 4 | module FileExtract; 5 | 6 | export { 7 | ## The prefix where files are extracted to. 8 | const prefix = "/var/www/html/extract_files/" &redef; 9 | 10 | ## The default max size for extracted files (they won't exceed this 11 | ## number of bytes). A value of zero means unlimited. 12 | const default_limit = 0 &redef; 13 | 14 | ## The default web server 15 | const webserver = "http://DOCKERHOST" &redef; 16 | 17 | redef record Files::Info += { 18 | ## Local filename of extracted file. 19 | extracted: string &optional &log; 20 | extract_uri: string &optional &log; 21 | }; 22 | 23 | redef record Files::AnalyzerArgs += { 24 | ## The local filename to which to write an extracted file. 25 | ## This field is used in the core by the extraction plugin 26 | ## to know where to write the file to. If not specified, then 27 | ## a filename in the format "extract--" is 28 | ## automatically assigned (using the *source* and *id* 29 | ## fields of :bro:see:`fa_file`). 30 | extract_filename: string &optional; 31 | ## The maximum allowed file size in bytes of *extract_filename*. 32 | ## Once reached, a :bro:see:`file_extraction_limit` event is 33 | ## raised and the analyzer will be removed unless 34 | ## :bro:see:`FileExtract::set_limit` is called to increase the 35 | ## limit. A value of zero means "no limit". 36 | extract_limit: count &default=default_limit; 37 | }; 38 | 39 | ## Sets the maximum allowed extracted file size. 40 | ## 41 | ## f: A file that's being extracted. 42 | ## 43 | ## args: Arguments that identify a file extraction analyzer. 44 | ## 45 | ## n: Allowed number of bytes to be extracted. 46 | ## 47 | ## Returns: false if a file extraction analyzer wasn't active for 48 | ## the file, else true. 49 | global set_limit: function(f: fa_file, args: Files::AnalyzerArgs, n: count): bool; 50 | } 51 | 52 | function set_limit(f: fa_file, args: Files::AnalyzerArgs, n: count): bool 53 | { 54 | return __set_limit(f$id, args, n); 55 | } 56 | 57 | function on_add(f: fa_file, args: Files::AnalyzerArgs) 58 | { 59 | if ( ! args?$extract_filename ) 60 | args$extract_filename = cat("extract-", f$last_active, "-", f$source, 61 | "-", f$id); 62 | f$info$extracted = args$extract_filename; 63 | f$info$extract_uri= cat(webserver,"/extract_files/",args$extract_filename); 64 | args$extract_filename = build_path_compressed(prefix, args$extract_filename); 65 | mkdir(prefix); 66 | } 67 | 68 | event bro_init() &priority=10 69 | { 70 | Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add); 71 | } 72 | -------------------------------------------------------------------------------- /bro-extra/geoip.bro: -------------------------------------------------------------------------------- 1 | ##! Add geo_location for the originator and responder of a connection 2 | ##! to the connection logs. 3 | 4 | module Conn; 5 | 6 | export 7 | { 8 | redef record Conn::Info += 9 | { 10 | orig_location: string &optional &log; 11 | resp_location: string &optional &log; 12 | }; 13 | } 14 | 15 | event connection_state_remove(c: connection) 16 | { 17 | local orig_loc = lookup_location(c$id$orig_h); 18 | if (orig_loc?$longitude && orig_loc?$latitude) 19 | c$conn$orig_location= cat(orig_loc$latitude,",",orig_loc$longitude); 20 | local resp_loc = lookup_location(c$id$resp_h); 21 | if (resp_loc?$longitude && resp_loc?$latitude) 22 | c$conn$resp_location= cat(resp_loc$latitude,",",resp_loc$longitude); 23 | } 24 | -------------------------------------------------------------------------------- /bro-extra/intel.bro: -------------------------------------------------------------------------------- 1 | @load frameworks/intel/seen 2 | 3 | redef Intel::read_files += { 4 | "/usr/local/bro/share/bro/bro-extra/alienvault.intel", 5 | "/usr/local/bro/share/bro/bro-extra/ciarmy.intel", 6 | "/usr/local/bro/share/bro/bro-extra/malhosts.intel", 7 | "/usr/local/bro/share/bro/bro-extra/mandiant.intel", 8 | "/usr/local/bro/share/bro/bro-extra/snort.intel", 9 | "/usr/local/bro/share/bro/bro-extra/botcc.intel", 10 | "/usr/local/bro/share/bro/bro-extra/compromised.intel", 11 | "/usr/local/bro/share/bro/bro-extra/malips.intel", 12 | "/usr/local/bro/share/bro/bro-extra/tor.intel" 13 | }; 14 | -------------------------------------------------------------------------------- /bro-extra/locationextract.bro: -------------------------------------------------------------------------------- 1 | module Location; 2 | 3 | @load base/utils/exec 4 | 5 | export 6 | { 7 | redef enum Log::ID += { LOG }; 8 | 9 | type Info: record 10 | { 11 | ts: time &log; 12 | uid: string &log; 13 | origin: string &log; 14 | ext_location: string &log; 15 | }; 16 | } 17 | 18 | global title_set: set[string]; 19 | 20 | event bro_init() &priority=5 21 | { 22 | Log::create_stream(Location::LOG, [$columns=Info]); 23 | } 24 | 25 | event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) 26 | { 27 | local origin: string; 28 | local location_extracted: string=""; 29 | #look for the word long and lat 30 | if ( /lati?t?u?d?e?=([0-9]{1,2}[.][0-9]+)/ in unescaped_URI && /lo?ngi?t?u?d?e?=([0-9]{1,3}[.][0-9]+)/ in unescaped_URI ) 31 | { 32 | local latstring = find_last(unescaped_URI,/lati?t?u?d?e?=([0-9]{1,2}[.][0-9]+)/); 33 | local latitude = split_string1(latstring,/=/); 34 | local longstring = find_last(unescaped_URI,/lo?ngi?t?u?d?e?=([0-9]{1,3}[.][0-9]+)/); 35 | local longitude = split_string1(longstring,/=/); 36 | if ( 1 in latitude && 1 in longitude && to_double(latitude[1]) != 0) 37 | { 38 | origin = "uri_name"; 39 | location_extracted = cat(latitude[1],",",longitude[1]); 40 | } } 41 | # look for coordinate pairs 42 | else if ( /=[0-8]?[0-9][.][0-9]{3,}[,][1]?[0-9]?[0-9][.][0-9]{3,}/ in unescaped_URI) 43 | { 44 | local coordinatestring = find_last(unescaped_URI,/=([0-8]?[0-9][.][0-9]{3,}[,][1]?[0-9]?[0-9][.][0-9]{3,})/); 45 | local cleanstring = split_string1(coordinatestring,/=/); 46 | local coordinate = split_string1(cleanstring[1],/,/); 47 | if (1 in coordinate && to_double(coordinate[0]) != 0) 48 | { 49 | origin = "uri_pair"; 50 | location_extracted = cat(coordinate[0],",",coordinate[1]); 51 | } 52 | } 53 | if (location_extracted != "") { 54 | local log_rec: Location::Info = [$ts=network_time(), $uid=c$uid, $origin=origin , $ext_location=location_extracted]; 55 | Log::write(Location::LOG, log_rec); 56 | } 57 | } 58 | 59 | event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2 60 | { 61 | local origin: string; 62 | local location_extracted: string=""; 63 | if ( is_orig && name == "COOKIE") 64 | { 65 | local unesc_cookie = unescape_URI(value); 66 | if ( /lati?t?u?d?e?=([0-9]{1,2}[.][0-9]+)/ in unesc_cookie && /lo?ngi?t?u?d?e?=([0-9]{1,3}[.][0-9]+)/ in unesc_cookie) 67 | { 68 | local latstring = find_last(unesc_cookie,/lati?t?u?d?e?=([0-9]{1,2}[.][0-9]+)/); 69 | local latitude = split_string1(latstring,/=/); 70 | local longstring = find_last(unesc_cookie,/lo?ngi?t?u?d?e?=([0-9]{1,3}[.][0-9]+)/); 71 | local longitude = split_string1(longstring,/=/); 72 | if ( 1 in latitude && 1 in longitude && to_double(latitude[1]) != 0) 73 | { 74 | origin = "cookie_name"; 75 | location_extracted = cat(latitude[1],",",longitude[1]); 76 | } 77 | } 78 | else if ( /location=[1]?[0-9]?[0-9][.][0-9]{3,}[|][0-8]?[0-9][.][0-9]{3,}/ in unesc_cookie) 79 | { 80 | local coordinatestring = find_last(unesc_cookie,/([1]?[0-9]?[0-9][.][0-9]{3,}[|][0-8]?[0-9][.][0-9]{3,})/); 81 | local coordinate = split_string1(coordinatestring,/[|]/); 82 | if (1 in coordinate && to_double(coordinate[0]) != 0) 83 | { 84 | origin = "cookie_pair"; 85 | location_extracted = cat(coordinate[1],",",coordinate[0]); 86 | } 87 | 88 | } 89 | } 90 | 91 | if (location_extracted != "") { 92 | local log_rec: Location::Info = [$ts=network_time(), $uid=c$uid, $origin=origin , $ext_location=location_extracted]; 93 | Log::write(Location::LOG, log_rec); 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /bro-extra/logs-to-elasticsearch.bro: -------------------------------------------------------------------------------- 1 | ##! Load this script to enable global log output to an ElasticSearch database. 2 | 3 | module LogElasticSearch; 4 | 5 | export { 6 | ## An elasticsearch specific rotation interval. 7 | const rotation_interval = 1hr &redef; 8 | 9 | ## Optionally ignore any :bro:type:`Log::ID` from being sent to 10 | ## ElasticSearch with this script. 11 | const excluded_log_ids: set[Log::ID] &redef; 12 | 13 | ## If you want to explicitly only send certain :bro:type:`Log::ID` 14 | ## streams, add them to this set. If the set remains empty, all will 15 | ## be sent. The :bro:id:`LogElasticSearch::excluded_log_ids` option 16 | ## will remain in effect as well. 17 | const send_logs: set[Log::ID] &redef; 18 | 19 | ## Set the separator 20 | redef Log::default_scope_sep = "_"; 21 | } 22 | 23 | event bro_init() &priority=-5 24 | { 25 | if ( server_host == "" ) 26 | return; 27 | 28 | for ( stream_id in Log::active_streams ) 29 | { 30 | if ( stream_id in excluded_log_ids || 31 | (|send_logs| > 0 && stream_id !in send_logs) ) 32 | next; 33 | 34 | local filter: Log::Filter = [$name = "default-es", 35 | $writer = Log::WRITER_ELASTICSEARCH, 36 | $interv = LogElasticSearch::rotation_interval]; 37 | Log::add_filter(stream_id, filter); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /bro-extra/mac-logging.bro: -------------------------------------------------------------------------------- 1 | ##! This script adds link-layer address (MAC) information to the connection logs 2 | 3 | @load base/protocols/conn 4 | 5 | module Conn; 6 | 7 | redef record Info += { 8 | ## Link-layer address of the originator, if available. 9 | orig_l2_addr: string &log &optional; 10 | ## Link-layer address of the responder, if available. 11 | resp_l2_addr: string &log &optional; 12 | }; 13 | 14 | # Add the link-layer addresses to the Conn::Info structure after the connection 15 | # has been removed. This ensures it's only done once, and is done before the 16 | # connection information is written to the log. 17 | event connection_state_remove(c: connection) 18 | { 19 | if ( c$orig?$l2_addr ) 20 | c$conn$orig_l2_addr = c$orig$l2_addr; 21 | 22 | if ( c$resp?$l2_addr ) 23 | c$conn$resp_l2_addr = c$resp$l2_addr; 24 | } 25 | -------------------------------------------------------------------------------- /bro-extra/packets-broker.bro: -------------------------------------------------------------------------------- 1 | const broker_port: port = 9999/tcp &redef; 2 | redef BrokerComm::endpoint_name = "events"; 3 | export { 4 | global bro_packet: event(p: pkt_hdr); 5 | } 6 | event bro_init() 7 | { 8 | BrokerComm::enable(); 9 | BrokerComm::listen(broker_port, "127.0.0.1"); 10 | BrokerComm::auto_event("bro/event/bro_packet", bro_packet); 11 | } 12 | event new_packet(c:connection, p: pkt_hdr) { event bro_packet(p); } 13 | -------------------------------------------------------------------------------- /bro-extra/tcprs.bro: -------------------------------------------------------------------------------- 1 | event bro_init() 2 | { 3 | TCPRS::EnableTCPRSAnalyzer(); 4 | } 5 | -------------------------------------------------------------------------------- /bro-extra/tordetect.bro: -------------------------------------------------------------------------------- 1 | module DetectTor; 2 | 3 | event ssl_established(c: connection ) &priority=6 4 | { 5 | if ( c$ssl?$subject && /^CN=www.[0-9a-zA-Z]+.(net|com)$/ == c$ssl$subject && c$ssl?$issuer && /^CN=www.[0-9a-zA-Z]+.(com|net)$/ == c$ssl$issuer ) 6 | { 7 | add c$service["tor"]; 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /bro-patch/ElasticSearch.cc.patch: -------------------------------------------------------------------------------- 1 | 66c66 2 | < json = new threading::formatter::JSON(this, threading::formatter::JSON::TS_MILLIS); 3 | --- 4 | > json = new threading::formatter::JSON(this, threading::formatter::JSON::TS_ISO8601); 5 | 146,148d145 6 | < buffer.AddRaw("\"_timestamp\":", 13); 7 | < buffer.Add((uint64) (network_time * 1000)); 8 | < buffer.AddRaw(",", 1); 9 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Compose Bro-debian-elasicsearch cluster 2 | # set DOCKERHOST with export DOCKERHOST=192.168.1.2:8080 3 | # 4 | # VOLUMES 5 | elastic-data-master: 6 | image: tianon/true 7 | volumes: 8 | - /usr/share/elasticsearch/data 9 | 10 | elastic-data-node01: 11 | image: tianon/true 12 | volumes: 13 | - /usr/share/elasticsearch/data 14 | 15 | elastic-data-node02: 16 | image: tianon/true 17 | volumes: 18 | - /usr/share/elasticsearch/data 19 | 20 | # nginx 21 | nginx: 22 | image: danielguerra/bro-elasticsearch-nginx 23 | hostname: nginx 24 | links: 25 | - "elasticsearch-master:master" 26 | - "elasticsearch-node01:node01" 27 | - "elasticsearch-node02:node02" 28 | ports: 29 | - "9200:9200" 30 | - "9300:9300" 31 | 32 | # ELASTICSEARCH 33 | elasticsearch-master: 34 | image: danielguerra/alpine-elasticsearch 35 | command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 36 | hostname: elasticsearch-master 37 | volumes_from: 38 | - "elastic-data-master" 39 | 40 | elasticsearch-node01: 41 | image: danielguerra/alpine-elasticsearch 42 | command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 43 | hostname: elasticsearch-node01 44 | links: 45 | - "elasticsearch-master:master" 46 | volumes_from: 47 | - "elastic-data-node01" 48 | 49 | elasticsearch-node02: 50 | image: danielguerra/alpine-elasticsearch 51 | command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 52 | hostname: elasticsearch-node02 53 | links: 54 | - "elasticsearch-master:master" 55 | volumes_from: 56 | - "elastic-data-node02" 57 | 58 | # KIBANA 59 | kibana: 60 | image: kibana:4.6 61 | hostname: kibana 62 | ports: 63 | - "5601:5601" 64 | links: 65 | - "nginx:elasticsearch" 66 | 67 | # BRO 68 | bro-xinitd-forensic: 69 | image: danielguerra/bro-debian-elasticsearch 70 | command: /role/xinetd-forensic $DOCKERHOST 71 | hostname: bro-xinetd-forensic 72 | links: 73 | - "nginx:elasticsearch" 74 | ports: 75 | - "1969:1969" 76 | - "8080:80" 77 | 78 | # mapping 79 | bro-mapping: 80 | image: danielguerra/bro-debian-elasticsearch 81 | command: /scripts/bro-mapping.sh 82 | links: 83 | - "nginx:elasticsearch" 84 | 85 | # kibana config 86 | kibana-config: 87 | image: danielguerra/bro-kibana-config 88 | links: 89 | - "elasticsearch-master:elasticsearch" 90 | -------------------------------------------------------------------------------- /docker-compose/alpine-elasticsearch/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Compose Bro-alpine-elasicsearch cluster 2 | # 3 | 4 | # VOLUMES 5 | elastic-data-master: 6 | image: tianon/true 7 | volumes: 8 | - /usr/share/elasticsearch/data 9 | 10 | elastic-data-node01: 11 | image: tianon/true 12 | volumes: 13 | - /usr/share/elasticsearch/data 14 | 15 | elastic-data-node02: 16 | image: tianon/true 17 | volumes: 18 | - /usr/share/elasticsearch/data 19 | 20 | pcap-data: 21 | image: tianon/true 22 | volumes: 23 | - /data/pcap 24 | 25 | # ELASTICSEARCH nodes 26 | elasticsearch-master: 27 | image: danielguerra/alpine-elasticsearch 28 | command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 29 | hostname: elasticsearch-master 30 | volumes_from: 31 | - "elastic-data-master" 32 | 33 | elasticsearch-node01: 34 | image: danielguerra/alpine-elasticsearch 35 | command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 36 | hostname: elasticsearch-node01 37 | links: 38 | - "elasticsearch-master:master" 39 | volumes_from: 40 | - "elastic-data-node01" 41 | 42 | elasticsearch-node02: 43 | image: danielguerra/alpine-elasticsearch 44 | command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 45 | hostname: elasticsearch-node02 46 | links: 47 | - "elasticsearch-master:master" 48 | volumes_from: 49 | - "elastic-data-node02" 50 | 51 | nginx: 52 | image: danielguerra/bro-elasticsearch-nginx 53 | hostname: nginx 54 | links: 55 | - "elasticsearch-master:master" 56 | - "elasticsearch-node01:node01" 57 | - "elasticsearch-node02:node02" 58 | ports: 59 | - "9200:9200" 60 | - "9300:9300" 61 | 62 | # KIBANA 63 | kibana: 64 | image: danielguerra/alpine-kibana 65 | hostname: kibana 66 | ports: 67 | - "5601:5601" 68 | links: 69 | - "nginx:elasticsearch" 70 | 71 | # BRO 72 | bro: 73 | image: danielguerra/bro-alpine-elasticsearch 74 | hostname: bro 75 | links: 76 | - "nginx:elasticsearch" 77 | volumes_from: 78 | - "pcap-data" 79 | 80 | # kibana config 81 | #kibana-config: 82 | # image: danielguerra/bro-kibana-config 83 | # links: 84 | # - "elasticsearch-master:elasticsearch" 85 | -------------------------------------------------------------------------------- /docker-compose/bro-desktop/Readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielguerra69/bro-debian-elasticsearch/b31984020b382c7ae1360d0f877422523b9b539e/docker-compose/bro-desktop/Readme.md -------------------------------------------------------------------------------- /docker-compose/bro-desktop/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Compose Bro-Desktop 2 | # 3 | version: '2' 4 | 5 | services: 6 | 7 | # ELASTICSEARCH nodes 8 | elasticsearch-master: 9 | image: danielguerra/alpine-elasticsearch 10 | command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 11 | hostname: elasticsearch-master 12 | volumes: 13 | - elastic-data-master:/usr/share/elasticsearch/data 14 | 15 | elasticsearch-node01: 16 | image: danielguerra/alpine-elasticsearch 17 | command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 18 | hostname: elasticsearch-node01 19 | links: 20 | - "elasticsearch-master:master" 21 | volumes: 22 | - elastic-data-node01:/usr/share/elasticsearch/data 23 | 24 | elasticsearch-node02: 25 | image: danielguerra/alpine-elasticsearch 26 | command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 27 | hostname: elasticsearch-node02 28 | links: 29 | - "elasticsearch-master:master" 30 | volumes: 31 | - elastic-data-node02:/usr/share/elasticsearch/data 32 | 33 | # nginx 34 | nginx: 35 | image: danielguerra/bro-elasticsearch-nginx 36 | hostname: nginx 37 | links: 38 | - "elasticsearch-master:master" 39 | - "elasticsearch-node01:node01" 40 | - "elasticsearch-node02:node02" 41 | 42 | # KIBANA 43 | kibana: 44 | image: danielguerra/alpine-kibana 45 | hostname: kibana 46 | links: 47 | - "nginx:elasticsearch" 48 | 49 | # BRO 50 | bro: 51 | image: danielguerra/bro-debian-elasticsearch 52 | command: /role/xinetd-forensic bro:80 53 | hostname: bro 54 | volumes: 55 | - pcap-data:/bro/pcap/ 56 | - extracted-data:/var/www/html/extract_files/ 57 | links: 58 | - "nginx:elasticsearch" 59 | 60 | # mapping 61 | bro-mapping: 62 | image: danielguerra/bro-debian-elasticsearch 63 | command: /scripts/bro-mapping.sh 64 | links: 65 | - "nginx:elasticsearch" 66 | 67 | # kibana config 68 | kibana-config: 69 | image: danielguerra/bro-kibana-config 70 | links: 71 | - "elasticsearch-master:elasticsearch" 72 | 73 | #desktop 74 | desktop: 75 | image: danielguerra/alpine-xfce4-xrdp 76 | hostname: desktop 77 | volumes: 78 | - ssh-keys:/home/alpine/.ssh 79 | - pcap-data:/home/alpine/pcap 80 | links: 81 | - "kibana:kibana" 82 | - "bro:bro" 83 | - "grafana:grafana" 84 | ports: 85 | - "7777:22" 86 | 87 | #grafana 88 | grafana: 89 | image: grafana/grafana 90 | hostname: grafanana 91 | environment: 92 | - GF_SERVER_ROOT_URL "http://127.0.0.1:3000" 93 | - GF_SECURITY_ADMIN_PASSWORD "mypass" 94 | links: 95 | - elasticsearch-master 96 | - elasticsearch-node01 97 | - elasticsearch-node02 98 | - kibana 99 | - bro 100 | - nginx 101 | 102 | volumes: 103 | ssh-keys: 104 | pcap-data: 105 | extracted-data: 106 | elastic-data-master: 107 | elastic-data-node01: 108 | elastic-data-node02: 109 | -------------------------------------------------------------------------------- /docker-compose/bro-proxy-dump/commands: -------------------------------------------------------------------------------- 1 | docker run --rm --net=container:root_tor-proxy_1 crccheck/tcpdump -i eth0 -w - | docker-compose run bro 2 | -------------------------------------------------------------------------------- /docker-compose/bro-proxy-dump/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Compose Bro-alpine-elasicsearch cluster 2 | # 3 | # tor proxy 4 | tor-proxy: 5 | image: danielguerra/alpine-tor 6 | hostname: tor-proxy 7 | dns: 8 | - 127.0.0.1 9 | ports: 10 | - "9500:9500" 11 | - "53/udp:53/udp" 12 | 13 | #privoxy 14 | privoxy: 15 | image: vimagick/privoxy 16 | hostname: privoxy 17 | ports: 18 | - "8118:8118" 19 | volumes: 20 | - "/root/config:/etc/privoxy/config" 21 | cap_add: 22 | - NET_ADMIN 23 | 24 | #fiddler 25 | fiddler: 26 | image: danielguerra/alpine-fiddler 27 | hostname: fiddler 28 | volumes: 29 | - "/root:/root" 30 | ports: 31 | - "8888:8888" 32 | - "2222:22" 33 | 34 | 35 | # firefox 36 | firefox: 37 | image: danielguerra/alpine-firefox 38 | hostname: firefox 39 | dns: 40 | - "172.17.0.1" 41 | environment: 42 | - ALL_PROXY=http://172.17.0.1:8118 43 | volumes: 44 | - "/root:/root" 45 | ports: 46 | - "4848:22" 47 | 48 | # VOLUMES 49 | elastic-data-master: 50 | image: tianon/true 51 | volumes: 52 | - /usr/share/elasticsearch/data 53 | 54 | elastic-data-node01: 55 | image: tianon/true 56 | volumes: 57 | - /usr/share/elasticsearch/data 58 | 59 | elastic-data-node02: 60 | image: tianon/true 61 | volumes: 62 | - /usr/share/elasticsearch/data 63 | 64 | # ELASTICSEARCH nodes 65 | elasticsearch-master: 66 | image: danielguerra/alpine-elasticsearch 67 | command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 68 | hostname: elasticsearch-master 69 | 70 | volumes_from: 71 | - "elastic-data-master" 72 | ports: 73 | - "9200:9200" 74 | - "9300:9300" 75 | 76 | elasticsearch-node01: 77 | image: danielguerra/alpine-elasticsearch 78 | command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 79 | hostname: elasticsearch-node01 80 | links: 81 | - "elasticsearch-master:master" 82 | volumes_from: 83 | - "elastic-data-node01" 84 | 85 | elasticsearch-node02: 86 | image: danielguerra/alpine-elasticsearch 87 | command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 88 | hostname: elasticsearch-node02 89 | links: 90 | - "tor-proxy:proxy" 91 | - "elasticsearch-master:master" 92 | volumes_from: 93 | - "elastic-data-node02" 94 | 95 | # KIBANA 96 | kibana: 97 | image: kibana 98 | hostname: kibana 99 | ports: 100 | - "5601:5601" 101 | links: 102 | - "elasticsearch-master:elasticsearch" 103 | 104 | # BRO 105 | bro: 106 | image: danielguerra/bro-alpine-elasticsearch 107 | command: bro -r - 108 | links: 109 | - "elasticsearch-master:elasticsearch" 110 | volumes: 111 | - "/pcap:/data/pcap" 112 | 113 | # kibana config 114 | kibana-config: 115 | image: danielguerra/bro-kibana-config 116 | links: 117 | - "elasticsearch-master:elasticsearch" 118 | -------------------------------------------------------------------------------- /docker-compose/debian-elasticsearch/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # Compose Bro-debian-elasicsearch cluster 2 | # set DOCKERHOST with export DOCKERHOST=192.168.1.2 3 | # 4 | # VOLUMES 5 | elastic-data-master: 6 | image: tianon/true 7 | volumes: 8 | - /usr/share/elasticsearch/data 9 | 10 | elastic-data-node01: 11 | image: tianon/true 12 | volumes: 13 | - /usr/share/elasticsearch/data 14 | 15 | elastic-data-node02: 16 | image: tianon/true 17 | volumes: 18 | - /usr/share/elasticsearch/data 19 | 20 | # nginx 21 | nginx: 22 | image: danielguerra/bro-elasticsearch-nginx 23 | hostname: nginx 24 | links: 25 | - "elasticsearch-master:master" 26 | - "elasticsearch-node01:node01" 27 | - "elasticsearch-node02:node02" 28 | ports: 29 | - "9200:9200" 30 | - "9300:9300" 31 | 32 | # ELASTICSEARCH 33 | elasticsearch-master: 34 | image: danielguerra/alpine-elasticsearch 35 | command: -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 36 | hostname: elasticsearch-master 37 | volumes_from: 38 | - "elastic-data-master" 39 | 40 | elasticsearch-node01: 41 | image: danielguerra/alpine-elasticsearch 42 | command: -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 43 | hostname: elasticsearch-node01 44 | links: 45 | - "elasticsearch-master:master" 46 | volumes_from: 47 | - "elastic-data-node01" 48 | 49 | elasticsearch-node02: 50 | image: danielguerra/alpine-elasticsearch 51 | command: -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 52 | hostname: elasticsearch-node02 53 | links: 54 | - "elasticsearch-master:master" 55 | volumes_from: 56 | - "elastic-data-node02" 57 | 58 | # KIBANA 59 | kibana: 60 | image: kibana:4.6 61 | hostname: kibana 62 | ports: 63 | - "5601:5601" 64 | links: 65 | - "nginx:elasticsearch" 66 | 67 | # BRO 68 | bro-xinitd-forensic: 69 | image: danielguerra/bro-debian-elasticsearch 70 | command: /role/xinetd-forensic $DOCKERHOST 71 | hostname: bro-xinetd-forensic 72 | links: 73 | - "nginx:elasticsearch" 74 | ports: 75 | - "1969:1969" 76 | - "8080:80" 77 | 78 | # mapping 79 | bro-mapping: 80 | image: danielguerra/bro-debian-elasticsearch 81 | command: /scripts/bro-mapping.sh 82 | links: 83 | - "nginx:elasticsearch" 84 | 85 | # kibana config 86 | kibana-config: 87 | image: danielguerra/bro-kibana-config 88 | links: 89 | - "elasticsearch-master:elasticsearch" 90 | -------------------------------------------------------------------------------- /php/index.php: -------------------------------------------------------------------------------- 1 | 10 | -------------------------------------------------------------------------------- /role/amqp-amqp: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # usage /role/amqp-amqp USER PASS HOST QUEUE USER PASS HOST EXCHANGE 3 | # the first group is for the consumer (queue contains pcap) the second group for the producer (bro's results) 4 | 5 | # set output to stdout 6 | sed -i "s/const output_to_stdout = F \&redef/const output_to_stdout = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 7 | # set output to json 8 | sed -i "s/const use_json = F \&redef/const use_json = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 9 | # set time to iso8601 10 | sed -i "s/const json_timestamps: JSON::TimestampFormat = JSON::TS_MILLIS \&redef/const json_timestamps: JSON::TimestampFormat = JSON::TS_ISO8601 \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 11 | #log passwords 12 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 13 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 14 | 15 | # run the pipe of consumer to bro to publisher 16 | while [ 1 ] 17 | do 18 | /usr/bin/amqp-consume --url=amqp://$1:$2@$3 --queue=$4 /usr/local/bro/bin/bro -r - | /usr/bin/amqp-publish -p -l --url=amqp://$5:$6@$7 --exchange=$8 19 | done 20 | -------------------------------------------------------------------------------- /role/broctl: -------------------------------------------------------------------------------- 1 | broctl 2 | -------------------------------------------------------------------------------- /role/cmd-bare: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /bin/bash 3 | -------------------------------------------------------------------------------- /role/cmd-elasticsearch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script sets all logs to elasticsearch 3 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 4 | # stop local logging 5 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 6 | #log passwords 7 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 8 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 9 | #start shell 10 | /bin/bash 11 | -------------------------------------------------------------------------------- /role/cmd-forensic: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script sets file extraction from known protocols and password extraction 4 | echo "@load policy/frameworks/files/extract-all-files" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 5 | #log passwords 6 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 7 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 8 | 9 | /bin/bash 10 | -------------------------------------------------------------------------------- /role/dump-elasticsearch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script sets all logs to elasticsearch 3 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 4 | # stop local logging 5 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 6 | #log passwords 7 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 8 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 9 | #start bro 10 | bro -i eth0 11 | -------------------------------------------------------------------------------- /role/sshd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p /var/run/sshd 4 | sed -i "s/UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config 5 | sed -i "s/UsePAM.*/UsePAM no/g" /etc/ssh/sshd_config 6 | sed -i "s/PermitRootLogin.*/PermitRootLogin yes/g" /etc/ssh/sshd_config 7 | sed -i "s/#AuthorizedKeysFile/AuthorizedKeysFile/g" /etc/ssh/sshd_config 8 | /usr/sbin/sshd -D 9 | -------------------------------------------------------------------------------- /role/stdin-amqp: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # usage /role/stdin-amqp USER PASS HOST EXCHANGE 3 | 4 | # set output to stdout 5 | sed -i "s/const output_to_stdout = F \&redef/const output_to_stdout = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 6 | # set output to json 7 | sed -i "s/const use_json = F \&redef/const use_json = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 8 | # set time to iso8601 9 | sed -i "s/const json_timestamps: JSON::TimestampFormat = JSON::TS_MILLIS \&redef/const json_timestamps: JSON::TimestampFormat = JSON::TS_ISO8601 \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 10 | #log passwords 11 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 12 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 13 | # run the pipe of consumer to bro to publisher 14 | /usr/local/bro/bin/bro -r - | /usr/bin/amqp-publish -p -l --url=amqp://$1:$2@$2 --exchange=$4 15 | -------------------------------------------------------------------------------- /role/stdin-elasticsearch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script sets all logs to elasticsearch 3 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 4 | # stop local logging 5 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 6 | #log passwords 7 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 8 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 9 | #start shell 10 | /usr/local/bro/bin/bro -r - 11 | -------------------------------------------------------------------------------- /role/stdin-forensic: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script sets all logs to elasticsearch 3 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 4 | #This script adds pcap url per socket in conn logs 5 | echo "@load ./conn_pcap.bro" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 6 | # enable extraction 7 | echo "@load policy/frameworks/files/extract-all-files" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 8 | # This script sets file extraction from known protocols and adds an uri to the extracted files 9 | echo "@load base/files/extract" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 10 | # stop local logging 11 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 12 | #log passwords 13 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 14 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 15 | #start supervisor daemon 16 | /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf 17 | export DOCKERHOST=$1 18 | cp /usr/local/bro/share/bro/bro-extra/extract_files_template.bro /usr/local/bro/share/bro/base/files/extract/main.bro 19 | sed -i "s/DOCKERHOST/${DOCKERHOST}/g" /usr/local/bro/share/bro/base/files/extract/main.bro 20 | 21 | #pcap file and settings 22 | export PCAPFILE=`tempfile -d /bro/pcap -p bro- -s .pcap` 23 | cp /usr/local/bro/share/bro/bro-extra/conn_pcap_template.bro /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 24 | sed -i "s:PCAPFILE:${PCAPFILE}:" /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 25 | sed -i "s/DOCKERHOST/${DOCKERHOST}/g" /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 26 | # set file permissions for apache 27 | chown www-data:www-data ${PCAPFILE} 28 | chmod a+r ${PCAPFILE} 29 | #cmd 30 | bro -r - -w ${PCAPFILE} 31 | -------------------------------------------------------------------------------- /role/xinetd-amqp: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage /role/xinetd-elasticsearch USER PASS HOST EXCHANGE 3 | cp /xinetd/bro-amqp /etc/xinetd.d/bro 4 | # set output to stdout 5 | sed -i "s/server_args = AMQPCONF/server_args = $1 $2 $3 $4/" /etc/xinetd.d/bro 6 | sed -i "s/const output_to_stdout = F \&redef/const output_to_stdout = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 7 | # set output to json 8 | sed -i "s/const use_json = F \&redef/const use_json = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 9 | # set time to iso8601 10 | sed -i "s/const json_timestamps: JSON::TimestampFormat = JSON::TS_MILLIS \&redef/const json_timestamps: JSON::TimestampFormat = JSON::TS_ISO8601 \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 11 | #log passwords 12 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 13 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 14 | #start xinetd 15 | /usr/sbin/xinetd -dontfork 16 | -------------------------------------------------------------------------------- /role/xinetd-elasticsearch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cp /xinetd/bro /etc/xinetd.d/bro 3 | # This script sets all logs to elasticsearch 4 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 5 | # stop local logging 6 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 7 | #log passwords 8 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 9 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 10 | # start xinetd 11 | /usr/sbin/xinetd -dontfork 12 | -------------------------------------------------------------------------------- /role/xinetd-forensic: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage /role/xinetd-forensic dockerhost 3 | cp /xinetd/bro-forensic /etc/xinetd.d/bro 4 | # set the forensic config ip of the dockerhost 5 | sed -i "s/server_args = FORENSICCONF/server_args = $1/" /etc/xinetd.d/bro 6 | # This script sets all logs to elasticsearch 7 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 8 | #This script adds pcap url per socket in conn logs 9 | echo "@load ./conn_pcap.bro" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 10 | # enable extraction 11 | echo "@load policy/frameworks/files/extract-all-files" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 12 | # This script sets file extraction from known protocols and adds an uri to the extracted files 13 | echo "@load base/files/extract" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 14 | # stop local logging 15 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 16 | #log passwords 17 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 18 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 19 | #start supervisor daemon 20 | /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf 21 | -------------------------------------------------------------------------------- /role/xinetd-forensic-crc: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage /role/xinetd-forensic-crc dockerhost 3 | cp /xinetd/bro-forensic-crc /etc/xinetd.d/bro 4 | # set the forensic config ip of the dockerhost 5 | sed -i "s/server_args = FORENSICCONF/server_args = $1/" /etc/xinetd.d/bro 6 | # This script sets all logs to elasticsearch 7 | echo "@load ./logs-to-elasticsearch" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 8 | #This script adds pcap url per socket in conn logs 9 | echo "@load ./conn_pcap.bro" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 10 | # enable extraction 11 | echo "@load policy/frameworks/files/extract-all-files" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 12 | # This script sets file extraction from known protocols and adds an uri to the extracted files 13 | echo "@load base/files/extract" >> /usr/local/bro/share/bro/bro-extra/bro-extra.bro 14 | # stop local logging 15 | sed -i "s/default_writer = WRITER_ASCII/default_writer = WRITER_NONE/g" /usr/local/bro/share/bro/base/frameworks/logging/main.bro 16 | #log passwords 17 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 18 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 19 | #start supervisor daemon 20 | /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf 21 | -------------------------------------------------------------------------------- /role/xinetd-splunk: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage /role/xinetd-splunk HOST PORT 3 | cp /xinetd/bro-splunk /etc/xinetd.d/bro 4 | # set server args 5 | sed -i "s/server_args = SPLUNKCONF/server_args = $1 $2 /" /etc/xinetd.d/bro 6 | # set output to stdout 7 | sed -i "s/const output_to_stdout = F \&redef/const output_to_stdout = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 8 | # set output to json 9 | sed -i "s/const use_json = F \&redef/const use_json = T \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 10 | # set time to iso8601 11 | sed -i "s/const json_timestamps: JSON::TimestampFormat = JSON::TS_MILLIS \&redef/const json_timestamps: JSON::TimestampFormat = JSON::TS_ISO8601 \&redef/g" /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro 12 | #log passwords 13 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/ftp/info.bro 14 | sed -i "s/default_capture_password = F/default_capture_password = T/" /usr/local/bro/share/bro/base/protocols/http/main.bro 15 | #start xinetd 16 | /usr/sbin/xinetd -dontfork 17 | -------------------------------------------------------------------------------- /scripts/bro-amqp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage bro-amqp.sh USER PASS HOST EXCHANGE 3 | bro -r - | amqp-publish -l --url=amqp://$1:$2@$3 --exchange=$4 4 | -------------------------------------------------------------------------------- /scripts/bro-forensic-crc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage bro-forensic-crc.sh DOCKERHOST 3 | 4 | #file extraction 5 | export DOCKERHOST=$1 6 | cp /usr/local/bro/share/bro/bro-extra/extract_files_template.bro /usr/local/bro/share/bro/base/files/extract/main.bro 7 | sed -i "s/DOCKERHOST/${DOCKERHOST}/g" /usr/local/bro/share/bro/base/files/extract/main.bro 8 | 9 | #pcap file and settings 10 | export PCAPFILE=`tempfile -d /bro/pcap -p bro- -s .pcap` 11 | cp /usr/local/bro/share/bro/bro-extra/conn_pcap_template.bro /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 12 | sed -i "s:PCAPFILE:${PCAPFILE}:" /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 13 | sed -i "s/DOCKERHOST/${DOCKERHOST}/g" /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 14 | # set file permissions for apache 15 | chown www-data:www-data ${PCAPFILE} 16 | chmod a+r ${PCAPFILE} 17 | #cmd 18 | bro -C -r - -w ${PCAPFILE} 19 | -------------------------------------------------------------------------------- /scripts/bro-forensic.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage bro-forensic.sh DOCKERHOST 3 | 4 | #file extraction 5 | export DOCKERHOST=$1 6 | cp /usr/local/bro/share/bro/bro-extra/extract_files_template.bro /usr/local/bro/share/bro/base/files/extract/main.bro 7 | sed -i "s/DOCKERHOST/${DOCKERHOST}/g" /usr/local/bro/share/bro/base/files/extract/main.bro 8 | 9 | #pcap file and settings 10 | export PCAPFILE=`tempfile -d /bro/pcap -p bro- -s .pcap` 11 | cp /usr/local/bro/share/bro/bro-extra/conn_pcap_template.bro /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 12 | sed -i "s:PCAPFILE:${PCAPFILE}:" /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 13 | sed -i "s/DOCKERHOST/${DOCKERHOST}/g" /usr/local/bro/share/bro/bro-extra/conn_pcap.bro 14 | # set file permissions for apache 15 | chown www-data:www-data ${PCAPFILE} 16 | chmod a+r ${PCAPFILE} 17 | #cmd 18 | bro -r - -w ${PCAPFILE} 19 | -------------------------------------------------------------------------------- /scripts/bro-mapping.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | until curl -XGET elasticsearch:9200/; do 3 | >&2 echo "Elasticsearch is unavailable - sleeping" 4 | sleep 5 5 | done 6 | 7 | >&2 echo "Elasticsearch is up - executing command" 8 | curl -XPUT elasticsearch:9200/_template/fixstrings_bro -d '{ 9 | "template": "bro-*", 10 | "index": { 11 | "number_of_shards": 7, 12 | "number_of_replicas": 1 13 | }, 14 | "mappings" : { 15 | "http" : { 16 | "properties" : { 17 | "status_msg" : { 18 | "type" : "string", 19 | "index" : "not_analyzed" 20 | }, 21 | "user_agent" : { 22 | "type" : "string", 23 | "index" : "not_analyzed" 24 | }, 25 | "uri" : { 26 | "type" : "string", 27 | "index" : "not_analyzed" 28 | } 29 | } 30 | }, 31 | "conn" : { 32 | "properties" : { 33 | "orig_location" : { 34 | "type" : "geo_point" 35 | }, 36 | "resp_location" : { 37 | "type" : "geo_point" 38 | } 39 | } 40 | }, 41 | "files" : { 42 | "properties" : { 43 | "mime_type" : { 44 | "type" : "string", 45 | "index" : "not_analyzed" 46 | } 47 | } 48 | }, 49 | "location": { 50 | "properties" : { 51 | "ext_location" : { 52 | "type" : "geo_point" 53 | } 54 | } 55 | }, 56 | "notice" : { 57 | "properties" : { 58 | "note" : { 59 | "type" : "string", 60 | "index" : "not_analyzed" 61 | } 62 | } 63 | }, 64 | "ssl" : { 65 | "properties" : { 66 | "validation_status" : { 67 | "type" : "string", 68 | "index" : "not_analyzed" 69 | }, 70 | "server_name" : { 71 | "type" : "string", 72 | "index" : "not_analyzed" 73 | } 74 | } 75 | }, 76 | "dns" : { 77 | "properties" : { 78 | "answers" : { 79 | "type" : "string", 80 | "index" : "not_analyzed" 81 | }, 82 | "query" : { 83 | "type" : "string", 84 | "index" : "not_analyzed" 85 | } 86 | } 87 | }, 88 | "intel" : { 89 | "properties" : { 90 | "sources" : { 91 | "type" : "string", 92 | "index" : "not_analyzed" 93 | }, 94 | "seen_indicator_type" : { 95 | "type" : "string", 96 | "index" : "not_analyzed" 97 | }, 98 | "seen_where" : { 99 | "type" : "string", 100 | "index" : "not_analyzed" 101 | } 102 | } 103 | }, 104 | "weird" : { 105 | "properties" : { 106 | "name" : { 107 | "type" : "string", 108 | "index" : "not_analyzed" 109 | }, 110 | "query" : { 111 | "type" : "string", 112 | "index" : "not_analyzed" 113 | } 114 | } 115 | } 116 | } 117 | }' 118 | -------------------------------------------------------------------------------- /scripts/bro-splunk.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage bro-splunk.sh HOST PORT 3 | bro -r - | curl -K http://$1:$2 4 | -------------------------------------------------------------------------------- /scripts/clean-elastic.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for x in `curl --silent 'elasticsearch:9200/_cat/indices?v' | sed '1d'| grep -e bro-| cut -d " " -f 5`; do echo $x; curl -XDELETE 'http://elasticsearch:9200/'$x; done 3 | -------------------------------------------------------------------------------- /scripts/commands: -------------------------------------------------------------------------------- 1 | # to be replaced by docker-compose 2 | docker create -v /usr/share/elasticsearch/data --name elastic-data-master danielguerra/empty-elastic-data /bin/true 3 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node01 danielguerra/empty-elastic-data /bin/true 4 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node02 danielguerra/empty-elastic-data /bin/true 5 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node03 danielguerra/empty-elastic-data /bin/true 6 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node04 danielguerra/empty-elastic-data /bin/true 7 | docker run -d --env ES_HEAP_SIZE=30g --env MAX_OPEN_FILES=65535 --env MAX_LOCKED_MEMORY=unlimited --env ES_JAVA_OPTS=-server --volumes-from elastic-data-master --hostname=elasticsearch-master --name elasticsearch-master elasticsearch -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 8 | docker run -d --env ES_HEAP_SIZE=30g --env MAX_OPEN_FILES=65535 --env MAX_LOCKED_MEMORY=unlimited --env ES_JAVA_OPTS=-server --volumes-from elastic-data-node01 --hostname=elasticsearch-node01 --name elasticsearch-node01 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 9 | docker run -d --env ES_HEAP_SIZE=30g --env MAX_OPEN_FILES=65535 --env MAX_LOCKED_MEMORY=unlimited --env ES_JAVA_OPTS=-server --volumes-from elastic-data-node02 --hostname=elasticsearch-node02 --name elasticsearch-node02 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 10 | docker run -d --env ES_HEAP_SIZE=30g --env MAX_OPEN_FILES=65535 --env MAX_LOCKED_MEMORY=unlimited --env ES_JAVA_OPTS=-server --volumes-from elastic-data-node03 --hostname=elasticsearch-node03 --name elasticsearch-node03 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node03 --cluster.name=bro --node.name=elasticsearch-node03 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node03 11 | docker run -d --env ES_HEAP_SIZE=30g --env MAX_OPEN_FILES=65535 --env MAX_LOCKED_MEMORY=unlimited --env ES_JAVA_OPTS=-server --volumes-from elastic-data-node04 --hostname=elasticsearch-node04 --name elasticsearch-node04 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node04 --cluster.name=bro --node.name=elasticsearch-node04 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node04 12 | docker run -d -p 1969:1969 --link elasticsearch-master:elasticsearch --name bro-xinetd --hostname bro-xinetd danielguerra/bro-debian-elasticsearch /role/xinetd-elasticsearch 13 | 14 | docker run -d -p 1970:1969 --link rabbitmq:amqp --name bro-xinetd-amqp --hostname bro-xinetd-amqp danielguerra/bro-debian-elasticsearch /role/xinetd-amqp 15 | 16 | docker run -d --link=rabbitmq:amqp --name=bro-amqp-amqp --hostname=bro-amqp-amqp danielguerra/bro-debian-elasticsearch /role/amqp-amqp guest guest 172.17.0.3 pcap-queue guest guest 172.17.0.3 testexchange 17 | 18 | docker run -d -p 5601:5601 --link=elasticsearch-node02:elasticsearch --hostname=kibana --name kibana kibana 19 | docker run -ti -v /Users/PCAP:/pcap --name bro-log danielguerra/bro-debian-elasticsearch 20 | docker run -ti --link elasticsearch-node01:elasticsearch -v /Users/PCAP:/pcap --name bro-dev danielguerra/bro-debian-elasticsearch /role/cmd-elasticsearch 21 | docker run -ti --link elasticsearch-node01:elasticsearch -v /Users/PCAP:/pcap --name bro-dev danielguerra/bro-debian-elasticsearch:develop /role/cmd-elasticsearch 22 | docker stop bro-dev elasticsearch-node01 elasticsearch-node02 elasticsearch-master elastic-data-node01 elastic-data-node02 elastic-data-master bro-xinetd kibana 23 | docker rm bro-dev elasticsearch-node01 elasticsearch-node02 elasticsearch-master elastic-data-node01 elastic-data-node02 elastic-data-master bro-xinetd kibana 24 | 25 | docker run -ti --link elasticsearch-master:elasticsearch --name bro-dev danielguerra/bro-debian-elasticsearch:test /bin/bash 26 | docker run -d -p 1969:1969 --link elasticsearch-master:elasticsearch --name bro-xinetd --hostname bro-xinetd danielguerra/bro-debian-elasticsearch:test /role/xinetd 27 | -------------------------------------------------------------------------------- /scripts/elastic-indices.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | curl --silent 'elasticsearch:9200/_cat/indices?v' 3 | -------------------------------------------------------------------------------- /scripts/kibana-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | until curl -XGET kibana:5601/; do 3 | >&2 echo "Kibana is unavailable - sleeping" 4 | sleep 5 5 | done 6 | 7 | >&2 echo "Kibana is up - executing command" 8 | 9 | curl -XPUT http://kibana:5601/elasticsearch/.kibana/index-pattern/bro-* -H kbn-version:4.5.0 -d '{"_index":".kibana","_type":"index-pattern","_id":"bro-*","_version":10,"found":true,"_source":{"title":"bro-*","timeFieldName":"ts","fields":"[{\"name\":\"id_resp_p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"id_orig_p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"id_orig_h\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"id_resp_h\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"notice\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"ts\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"certificate_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"certificate_sig_alg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"basic_constraints_path_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"certificate_key_alg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"resp_pkts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"resp_location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"orig_location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"conn_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"resp_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"orig_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"orig_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"orig_pkts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"resp_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"proto\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"app\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"uniq_hosts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"ts_delta\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"cookie_unesc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"TTLs\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"qclass_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"qtype_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"rejected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"qtype\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"trans_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"Z\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"qclass\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"AA\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"RA\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"TC\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"RD\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"timedout\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"analyzers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":1,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"rx_hosts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"is_orig\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"tx_hosts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"conn_uids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"md5\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"ext_location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"seen_indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"notary_times_seen\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"cert_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"notary_last_seen\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"established\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"notary_valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"resumed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"notary_first_seen\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"sub\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"dst\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"dropped\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"src\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"peer_descr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"assigned_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"lease_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"info_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"analyzed\":false,\"doc_values\":false},{\"name\":\"pcapuri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":true,\"doc_values\":false},{\"name\":\"extract_uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"analyzed\":false,\"doc_values\":true}]","fieldFormatMap":"{\"pcapuri\":{\"id\":\"url\",\"params\":{\"labelTemplate\":\"Get PCAP\"}},\"extract_uri\":{\"id\":\"url\",\"params\":{\"labelTemplate\":\"Get Extracted\"}}}"}}' 10 | -------------------------------------------------------------------------------- /scripts/kibana-dashbords.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "geoip", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "geoip", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"id\":\"resp-geoip\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":6,\"col\":7,\"row\":1},{\"id\":\"orig-geoip\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":6,\"col\":1,\"row\":1}]", 10 | "optionsJSON": "{\"darkTheme\":true}", 11 | "uiStateJSON": "{}", 12 | "version": 1, 13 | "timeRestore": false, 14 | "kibanaSavedObjectMeta": { 15 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 16 | } 17 | } 18 | }, 19 | { 20 | "_id": "ssl", 21 | "_type": "dashboard", 22 | "_source": { 23 | "title": "ssl", 24 | "hits": 0, 25 | "description": "", 26 | "panelsJSON": "[{\"col\":1,\"id\":\"ssl-cipher\",\"panelIndex\":1,\"row\":3,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ssl-version\",\"panelIndex\":2,\"row\":5,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ssl-resumed\",\"panelIndex\":3,\"row\":7,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ssl-server-name\",\"panelIndex\":4,\"row\":1,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"}]", 27 | "optionsJSON": "{\"darkTheme\":true}", 28 | "uiStateJSON": "{}", 29 | "version": 1, 30 | "timeRestore": false, 31 | "kibanaSavedObjectMeta": { 32 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 33 | } 34 | } 35 | }, 36 | { 37 | "_id": "unknown-traffic", 38 | "_type": "dashboard", 39 | "_source": { 40 | "title": "unknown traffic", 41 | "hits": 0, 42 | "description": "", 43 | "panelsJSON": "[{\"col\":1,\"id\":\"unknown-service-proto-bytes\",\"row\":1,\"size_x\":6,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"unknown-orig-host\",\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":10,\"id\":\"unknown-resp-host\",\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"orig-geoip\",\"row\":3,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"resp-geoip\",\"row\":3,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"}]", 44 | "optionsJSON": "{\"darkTheme\":true}", 45 | "uiStateJSON": "{}", 46 | "version": 1, 47 | "timeRestore": false, 48 | "kibanaSavedObjectMeta": { 49 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 50 | } 51 | } 52 | }, 53 | { 54 | "_id": "notice", 55 | "_type": "dashboard", 56 | "_source": { 57 | "title": "notice", 58 | "hits": 0, 59 | "description": "", 60 | "panelsJSON": "[{\"col\":1,\"id\":\"notice-note\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":7,\"type\":\"visualization\"}]", 61 | "optionsJSON": "{\"darkTheme\":true}", 62 | "uiStateJSON": "{}", 63 | "version": 1, 64 | "timeRestore": false, 65 | "kibanaSavedObjectMeta": { 66 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 67 | } 68 | } 69 | }, 70 | { 71 | "_id": "log", 72 | "_type": "dashboard", 73 | "_source": { 74 | "title": "log", 75 | "hits": 0, 76 | "description": "", 77 | "panelsJSON": "[{\"col\":1,\"id\":\"logs\",\"row\":1,\"size_x\":12,\"size_y\":6,\"type\":\"visualization\",\"panelIndex\":1}]", 78 | "optionsJSON": "{\"darkTheme\":true}", 79 | "uiStateJSON": "{}", 80 | "version": 1, 81 | "timeRestore": false, 82 | "kibanaSavedObjectMeta": { 83 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"-_type:conn\",\"analyze_wildcard\":true}}}]}" 84 | } 85 | } 86 | }, 87 | { 88 | "_id": "http", 89 | "_type": "dashboard", 90 | "_source": { 91 | "title": "http", 92 | "hits": 0, 93 | "description": "", 94 | "panelsJSON": "[{\"col\":7,\"id\":\"http-user_agent\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"http-status\",\"panelIndex\":4,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"http-host\",\"panelIndex\":6,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"http-uri\",\"type\":\"visualization\",\"panelIndex\":7,\"size_x\":6,\"size_y\":3,\"col\":1,\"row\":4}]", 95 | "optionsJSON": "{\"darkTheme\":true}", 96 | "uiStateJSON": "{}", 97 | "version": 1, 98 | "timeRestore": false, 99 | "kibanaSavedObjectMeta": { 100 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 101 | } 102 | } 103 | }, 104 | { 105 | "_id": "weird", 106 | "_type": "dashboard", 107 | "_source": { 108 | "title": "weird", 109 | "hits": 0, 110 | "description": "", 111 | "panelsJSON": "[{\"col\":1,\"id\":\"weird-orig-host\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"weird-resp-host\",\"panelIndex\":3,\"row\":1,\"size_x\":6,\"size_y\":2,\"type\":\"visualization\"},{\"id\":\"weird-name\",\"type\":\"visualization\",\"panelIndex\":4,\"size_x\":12,\"size_y\":4,\"col\":1,\"row\":3}]", 112 | "optionsJSON": "{\"darkTheme\":true}", 113 | "uiStateJSON": "{}", 114 | "version": 1, 115 | "timeRestore": false, 116 | "kibanaSavedObjectMeta": { 117 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 118 | } 119 | } 120 | }, 121 | { 122 | "_id": "intel", 123 | "_type": "dashboard", 124 | "_source": { 125 | "title": "intel", 126 | "hits": 0, 127 | "description": "", 128 | "panelsJSON": "[{\"id\":\"intel-seen-where\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":12,\"size_y\":2,\"col\":1,\"row\":1},{\"id\":\"intel-indicator-type\",\"type\":\"visualization\",\"panelIndex\":2,\"size_x\":12,\"size_y\":2,\"col\":1,\"row\":3},{\"id\":\"intel-sources\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":12,\"size_y\":2,\"col\":1,\"row\":5}]", 129 | "optionsJSON": "{\"darkTheme\":true}", 130 | "uiStateJSON": "{}", 131 | "version": 1, 132 | "timeRestore": false, 133 | "kibanaSavedObjectMeta": { 134 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}" 135 | } 136 | } 137 | }, 138 | { 139 | "_id": "dns", 140 | "_type": "dashboard", 141 | "_source": { 142 | "title": "dns", 143 | "hits": 0, 144 | "description": "", 145 | "panelsJSON": "[{\"id\":\"dns-query\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":3,\"col\":1,\"row\":1},{\"id\":\"dns-answer\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":3,\"col\":7,\"row\":1},{\"id\":\"dns-qtype\",\"type\":\"visualization\",\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":4}]", 146 | "optionsJSON": "{\"darkTheme\":true}", 147 | "uiStateJSON": "{}", 148 | "version": 1, 149 | "timeRestore": false, 150 | "kibanaSavedObjectMeta": { 151 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}]}" 152 | } 153 | } 154 | }, 155 | { 156 | "_id": "connection", 157 | "_type": "dashboard", 158 | "_source": { 159 | "title": "connection", 160 | "hits": 0, 161 | "description": "", 162 | "panelsJSON": "[{\"col\":1,\"id\":\"service-bytes\",\"panelIndex\":1,\"row\":1,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"proto-bytes\",\"panelIndex\":2,\"row\":3,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"unknown-service-proto-bytes\",\"panelIndex\":3,\"row\":7,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"service-duration\",\"panelIndex\":4,\"row\":9,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"connection-state\",\"panelIndex\":5,\"row\":5,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"}]", 163 | "optionsJSON": "{\"darkTheme\":true}", 164 | "uiStateJSON": "{}", 165 | "version": 1, 166 | "timeRestore": false, 167 | "kibanaSavedObjectMeta": { 168 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 169 | } 170 | } 171 | }, 172 | { 173 | "_id": "extracted-location", 174 | "_type": "dashboard", 175 | "_source": { 176 | "title": "extracted location", 177 | "hits": 0, 178 | "description": "", 179 | "panelsJSON": "[{\"id\":\"extracted-location\",\"type\":\"visualization\",\"panelIndex\":1,\"size_x\":12,\"size_y\":6,\"col\":1,\"row\":1}]", 180 | "optionsJSON": "{\"darkTheme\":true}", 181 | "uiStateJSON": "{}", 182 | "version": 1, 183 | "timeRestore": false, 184 | "kibanaSavedObjectMeta": { 185 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}" 186 | } 187 | } 188 | } 189 | ] 190 | -------------------------------------------------------------------------------- /scripts/kibana-querys.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "all", 4 | "_type": "search", 5 | "_source": { 6 | "title": "all", 7 | "description": "", 8 | "hits": 0, 9 | "columns": [ 10 | "_source" 11 | ], 12 | "sort": [ 13 | "ts", 14 | "desc" 15 | ], 16 | "version": 1, 17 | "kibanaSavedObjectMeta": { 18 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 19 | } 20 | } 21 | }, 22 | { 23 | "_id": "http", 24 | "_type": "search", 25 | "_source": { 26 | "title": "http", 27 | "description": "", 28 | "hits": 0, 29 | "columns": [ 30 | "method", 31 | "host", 32 | "uri", 33 | "user_agent" 34 | ], 35 | "sort": [ 36 | "ts", 37 | "desc" 38 | ], 39 | "version": 1, 40 | "kibanaSavedObjectMeta": { 41 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"_type:http\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 42 | } 43 | } 44 | }, 45 | { 46 | "_id": "connection", 47 | "_type": "search", 48 | "_source": { 49 | "title": "connection", 50 | "description": "", 51 | "hits": 0, 52 | "columns": [ 53 | "service", 54 | "proto", 55 | "id_orig_h", 56 | "id_orig_p", 57 | "id_resp_h", 58 | "id_resp_p", 59 | "orig_bytes", 60 | "resp_bytes" 61 | ], 62 | "sort": [ 63 | "ts", 64 | "desc" 65 | ], 66 | "version": 1, 67 | "kibanaSavedObjectMeta": { 68 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"_type:conn\"}}}" 69 | } 70 | } 71 | }, 72 | { 73 | "_id": "undetected-connection", 74 | "_type": "search", 75 | "_source": { 76 | "title": "undetected connection", 77 | "description": "", 78 | "hits": 0, 79 | "columns": [ 80 | "id_orig_h", 81 | "id_orig_p", 82 | "id_resp_h", 83 | "id_resp_p", 84 | "duration", 85 | "proto", 86 | "orig_bytes", 87 | "resp_bytes" 88 | ], 89 | "sort": [ 90 | "ts", 91 | "desc" 92 | ], 93 | "version": 1, 94 | "kibanaSavedObjectMeta": { 95 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"_type:conn AND NOT service:?*\",\"analyze_wildcard\":true}}}" 96 | } 97 | } 98 | }, 99 | { 100 | "_id": "dhcp", 101 | "_type": "search", 102 | "_source": { 103 | "title": "dhcp", 104 | "description": "", 105 | "hits": 0, 106 | "columns": [ 107 | "id_orig_h", 108 | "id_resp_h", 109 | "assigned_ip", 110 | "lease_time", 111 | "mac", 112 | "trans_id" 113 | ], 114 | "sort": [ 115 | "ts", 116 | "desc" 117 | ], 118 | "version": 1, 119 | "kibanaSavedObjectMeta": { 120 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:dhcp\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 121 | } 122 | } 123 | }, 124 | { 125 | "_id": "sip", 126 | "_type": "search", 127 | "_source": { 128 | "title": "sip", 129 | "description": "", 130 | "hits": 0, 131 | "columns": [ 132 | "method", 133 | "user_agent", 134 | "call_id", 135 | "request_from", 136 | "request_to" 137 | ], 138 | "sort": [ 139 | "ts", 140 | "desc" 141 | ], 142 | "version": 1, 143 | "kibanaSavedObjectMeta": { 144 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:sip\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 145 | } 146 | } 147 | }, 148 | { 149 | "_id": "dpd", 150 | "_type": "search", 151 | "_source": { 152 | "title": "dpd", 153 | "description": "", 154 | "hits": 0, 155 | "columns": [ 156 | "uid", 157 | "analyzer", 158 | "failure_reason", 159 | "id_orig_h", 160 | "id_resp_h" 161 | ], 162 | "sort": [ 163 | "ts", 164 | "desc" 165 | ], 166 | "version": 1, 167 | "kibanaSavedObjectMeta": { 168 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"_type:dpd\",\"analyze_wildcard\":true}}}" 169 | } 170 | } 171 | }, 172 | { 173 | "_id": "ssh", 174 | "_type": "search", 175 | "_source": { 176 | "title": "ssh", 177 | "description": "", 178 | "hits": 0, 179 | "columns": [ 180 | "uid", 181 | "auth_success", 182 | "cipher_alg", 183 | "host_key_alg", 184 | "kex_alg", 185 | "mac_alg", 186 | "host_key", 187 | "client", 188 | "server" 189 | ], 190 | "sort": [ 191 | "ts", 192 | "desc" 193 | ], 194 | "version": 1, 195 | "kibanaSavedObjectMeta": { 196 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:ssh\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 197 | } 198 | } 199 | }, 200 | { 201 | "_id": "dns", 202 | "_type": "search", 203 | "_source": { 204 | "title": "dns", 205 | "description": "", 206 | "hits": 0, 207 | "columns": [ 208 | "id_resp_h", 209 | "query", 210 | "answers" 211 | ], 212 | "sort": [ 213 | "ts", 214 | "desc" 215 | ], 216 | "version": 1, 217 | "kibanaSavedObjectMeta": { 218 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:dns\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 219 | } 220 | } 221 | }, 222 | { 223 | "_id": "app-stats", 224 | "_type": "search", 225 | "_source": { 226 | "title": "app stats", 227 | "description": "", 228 | "hits": 0, 229 | "columns": [ 230 | "app", 231 | "bytes", 232 | "hits", 233 | "ts_delta", 234 | "uniq_hosts" 235 | ], 236 | "sort": [ 237 | "ts", 238 | "desc" 239 | ], 240 | "version": 1, 241 | "kibanaSavedObjectMeta": { 242 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"_type:app_stats\",\"analyze_wildcard\":true}}}" 243 | } 244 | } 245 | }, 246 | { 247 | "_id": "weird", 248 | "_type": "search", 249 | "_source": { 250 | "title": "weird", 251 | "description": "", 252 | "hits": 0, 253 | "columns": [ 254 | "name" 255 | ], 256 | "sort": [ 257 | "ts", 258 | "desc" 259 | ], 260 | "version": 1, 261 | "kibanaSavedObjectMeta": { 262 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:weird\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 263 | } 264 | } 265 | }, 266 | { 267 | "_id": "intel", 268 | "_type": "search", 269 | "_source": { 270 | "title": "intel", 271 | "description": "", 272 | "hits": 0, 273 | "columns": [ 274 | "uid", 275 | "sources", 276 | "seen_indicator_type", 277 | "seen_where" 278 | ], 279 | "sort": [ 280 | "ts", 281 | "desc" 282 | ], 283 | "version": 1, 284 | "kibanaSavedObjectMeta": { 285 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:intel\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 286 | } 287 | } 288 | }, 289 | { 290 | "_id": "reporter", 291 | "_type": "search", 292 | "_source": { 293 | "title": "reporter", 294 | "description": "", 295 | "hits": 0, 296 | "columns": [ 297 | "level", 298 | "location", 299 | "message" 300 | ], 301 | "sort": [ 302 | "ts", 303 | "desc" 304 | ], 305 | "version": 1, 306 | "kibanaSavedObjectMeta": { 307 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:reporter\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 308 | } 309 | } 310 | }, 311 | { 312 | "_id": "notice", 313 | "_type": "search", 314 | "_source": { 315 | "title": "notice", 316 | "description": "", 317 | "hits": 0, 318 | "columns": [ 319 | "uid", 320 | "note", 321 | "msg" 322 | ], 323 | "sort": [ 324 | "ts", 325 | "desc" 326 | ], 327 | "version": 1, 328 | "kibanaSavedObjectMeta": { 329 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:notice\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 330 | } 331 | } 332 | }, 333 | { 334 | "_id": "cookie", 335 | "_type": "search", 336 | "_source": { 337 | "title": "cookie", 338 | "description": "", 339 | "hits": 0, 340 | "columns": [ 341 | "uid", 342 | "cookie_unesc" 343 | ], 344 | "sort": [ 345 | "ts", 346 | "desc" 347 | ], 348 | "version": 1, 349 | "kibanaSavedObjectMeta": { 350 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"_type:cookie\"}}}" 351 | } 352 | } 353 | }, 354 | { 355 | "_id": "x509", 356 | "_type": "search", 357 | "_source": { 358 | "title": "x509", 359 | "description": "", 360 | "hits": 0, 361 | "columns": [ 362 | "_source" 363 | ], 364 | "sort": [ 365 | "ts", 366 | "desc" 367 | ], 368 | "version": 1, 369 | "kibanaSavedObjectMeta": { 370 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:x509\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" 371 | } 372 | } 373 | }, 374 | { 375 | "_id": "location", 376 | "_type": "search", 377 | "_source": { 378 | "title": "location", 379 | "description": "", 380 | "hits": 0, 381 | "columns": [ 382 | "ext_location", 383 | "origin", 384 | "uid" 385 | ], 386 | "sort": [ 387 | "ts", 388 | "desc" 389 | ], 390 | "version": 1, 391 | "kibanaSavedObjectMeta": { 392 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"query\":\"_type:location\",\"analyze_wildcard\":true}}}" 393 | } 394 | } 395 | }, 396 | { 397 | "_id": "syslog", 398 | "_type": "search", 399 | "_source": { 400 | "title": "syslog", 401 | "description": "", 402 | "hits": 0, 403 | "columns": [ 404 | "id_orig_h", 405 | "id_resp_h", 406 | "message" 407 | ], 408 | "sort": [ 409 | "ts", 410 | "desc" 411 | ], 412 | "version": 1, 413 | "kibanaSavedObjectMeta": { 414 | "searchSourceJSON": "{\"index\":\"bro-*\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"_type:syslog\"}}}" 415 | } 416 | } 417 | }, 418 | { 419 | "_id": "dns-conn", 420 | "_type": "search", 421 | "_source": { 422 | "title": "dns conn", 423 | "description": "", 424 | "hits": 0, 425 | "columns": [ 426 | "id_resp_h", 427 | "query", 428 | "answers" 429 | ], 430 | "sort": [ 431 | "ts", 432 | "desc" 433 | ], 434 | "version": 1, 435 | "kibanaSavedObjectMeta": { 436 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"(_type:dns OR _type:conn)\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 437 | } 438 | } 439 | }, 440 | { 441 | "_id": "kerberos", 442 | "_type": "search", 443 | "_source": { 444 | "title": "kerberos", 445 | "description": "", 446 | "hits": 0, 447 | "columns": [ 448 | "service", 449 | "request_type", 450 | "success", 451 | "error_msg" 452 | ], 453 | "sort": [ 454 | "ts", 455 | "desc" 456 | ], 457 | "version": 1, 458 | "kibanaSavedObjectMeta": { 459 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:kerberos\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 460 | } 461 | } 462 | }, 463 | { 464 | "_id": "ssl", 465 | "_type": "search", 466 | "_source": { 467 | "title": "ssl", 468 | "description": "", 469 | "hits": 0, 470 | "columns": [ 471 | "server_name", 472 | "validation_status", 473 | "subject", 474 | "issuer" 475 | ], 476 | "sort": [ 477 | "ts", 478 | "desc" 479 | ], 480 | "version": 1, 481 | "kibanaSavedObjectMeta": { 482 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:ssl\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 483 | } 484 | } 485 | }, 486 | { 487 | "_id": "mysql", 488 | "_type": "search", 489 | "_source": { 490 | "title": "mysql", 491 | "description": "", 492 | "hits": 0, 493 | "columns": [ 494 | "cmd", 495 | "arg", 496 | "response" 497 | ], 498 | "sort": [ 499 | "ts", 500 | "desc" 501 | ], 502 | "version": 1, 503 | "kibanaSavedObjectMeta": { 504 | "searchSourceJSON": "{\"index\":\"bro-*\",\"query\":{\"query_string\":{\"query\":\"_type:mysql\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"filter\":[]}" 505 | } 506 | } 507 | } 508 | ] 509 | -------------------------------------------------------------------------------- /scripts/kibana-visualisations.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "service-bytes", 4 | "_type": "visualization", 5 | "_source": { 6 | "title": "service bytes", 7 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"orig_bytes\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"service\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"resp_bytes\"}}],\"listeners\":{}}", 8 | "uiStateJSON": "{}", 9 | "description": "", 10 | "savedSearchId": "connection", 11 | "version": 1, 12 | "kibanaSavedObjectMeta": { 13 | "searchSourceJSON": "{\"filter\":[]}" 14 | } 15 | } 16 | }, 17 | { 18 | "_id": "proto-bytes", 19 | "_type": "visualization", 20 | "_source": { 21 | "title": "proto bytes", 22 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"orig_bytes\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"proto\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"resp_bytes\"}}],\"listeners\":{}}", 23 | "uiStateJSON": "{}", 24 | "description": "", 25 | "savedSearchId": "connection", 26 | "version": 1, 27 | "kibanaSavedObjectMeta": { 28 | "searchSourceJSON": "{\"filter\":[]}" 29 | } 30 | } 31 | }, 32 | { 33 | "_id": "logs", 34 | "_type": "visualization", 35 | "_source": { 36 | "title": "logs", 37 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"_type\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 38 | "uiStateJSON": "{}", 39 | "description": "", 40 | "savedSearchId": "all", 41 | "version": 1, 42 | "kibanaSavedObjectMeta": { 43 | "searchSourceJSON": "{\"filter\":[]}" 44 | } 45 | } 46 | }, 47 | { 48 | "_id": "location", 49 | "_type": "visualization", 50 | "_source": { 51 | "title": "extracted location", 52 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"ext_location\",\"precision\":2},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":\"0.51\",\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"mapType\":\"Heatmap\",\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"type\":\"tile_map\"}", 53 | "uiStateJSON": "{}", 54 | "description": "", 55 | "savedSearchId": "connection", 56 | "version": 1, 57 | "kibanaSavedObjectMeta": { 58 | "searchSourceJSON": "{\"filter\":[]}" 59 | } 60 | } 61 | }, 62 | { 63 | "_id": "http-status", 64 | "_type": "visualization", 65 | "_source": { 66 | "title": "http status", 67 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"status_msg\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 68 | "uiStateJSON": "{}", 69 | "description": "", 70 | "savedSearchId": "http", 71 | "version": 1, 72 | "kibanaSavedObjectMeta": { 73 | "searchSourceJSON": "{\"filter\":[]}" 74 | } 75 | } 76 | }, 77 | { 78 | "_id": "orig-geoip", 79 | "_type": "visualization", 80 | "_source": { 81 | "title": "orig geoip", 82 | "visState": "{\"type\":\"tile_map\",\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":\"0.51\",\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"mapType\":\"Heatmap\",\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"orig_location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}", 83 | "uiStateJSON": "{}", 84 | "description": "", 85 | "savedSearchId": "connection", 86 | "version": 1, 87 | "kibanaSavedObjectMeta": { 88 | "searchSourceJSON": "{\"filter\":[]}" 89 | } 90 | } 91 | }, 92 | { 93 | "_id": "ssl-resumed", 94 | "_type": "visualization", 95 | "_source": { 96 | "title": "ssl resumed", 97 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"resumed\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 98 | "uiStateJSON": "{}", 99 | "description": "", 100 | "savedSearchId": "ssl", 101 | "version": 1, 102 | "kibanaSavedObjectMeta": { 103 | "searchSourceJSON": "{\"filter\":[]}" 104 | } 105 | } 106 | }, 107 | { 108 | "_id": "unknown-proto", 109 | "_type": "visualization", 110 | "_source": { 111 | "title": "unknown proto", 112 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"proto\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 113 | "uiStateJSON": "{}", 114 | "description": "", 115 | "savedSearchId": "undetected-connection", 116 | "version": 1, 117 | "kibanaSavedObjectMeta": { 118 | "searchSourceJSON": "{\"filter\":[]}" 119 | } 120 | } 121 | }, 122 | { 123 | "_id": "dns-query", 124 | "_type": "visualization", 125 | "_source": { 126 | "title": "dns query", 127 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 128 | "uiStateJSON": "{}", 129 | "description": "", 130 | "savedSearchId": "dns-conn", 131 | "version": 1, 132 | "kibanaSavedObjectMeta": { 133 | "searchSourceJSON": "{\"filter\":[]}" 134 | } 135 | } 136 | }, 137 | { 138 | "_id": "unknown-orig-host", 139 | "_type": "visualization", 140 | "_source": { 141 | "title": "unknown orig host", 142 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_orig_h\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 143 | "uiStateJSON": "{}", 144 | "description": "", 145 | "savedSearchId": "undetected-connection", 146 | "version": 1, 147 | "kibanaSavedObjectMeta": { 148 | "searchSourceJSON": "{\"filter\":[]}" 149 | } 150 | } 151 | }, 152 | { 153 | "_id": "resp-geoip", 154 | "_type": "visualization", 155 | "_source": { 156 | "title": "resp geoip", 157 | "visState": "{\"type\":\"tile_map\",\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":\"0.51\",\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"mapType\":\"Heatmap\",\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_location\",\"autoPrecision\":true,\"mapZoom\":2,\"mapCenter\":[14.944784875088372,4.921875],\"precision\":2}}],\"listeners\":{}}", 158 | "uiStateJSON": "{}", 159 | "description": "", 160 | "savedSearchId": "connection", 161 | "version": 1, 162 | "kibanaSavedObjectMeta": { 163 | "searchSourceJSON": "{\"filter\":[]}" 164 | } 165 | } 166 | }, 167 | { 168 | "_id": "dns-qtype", 169 | "_type": "visualization", 170 | "_source": { 171 | "title": "dns qtype", 172 | "visState": "{\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"qtype_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 173 | "uiStateJSON": "{}", 174 | "description": "", 175 | "savedSearchId": "dns", 176 | "version": 1, 177 | "kibanaSavedObjectMeta": { 178 | "searchSourceJSON": "{\"filter\":[]}" 179 | } 180 | } 181 | }, 182 | { 183 | "_id": "unknown-conn-state", 184 | "_type": "visualization", 185 | "_source": { 186 | "title": "unknown conn state", 187 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"conn_state\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 188 | "uiStateJSON": "{}", 189 | "description": "", 190 | "savedSearchId": "undetected-connection", 191 | "version": 1, 192 | "kibanaSavedObjectMeta": { 193 | "searchSourceJSON": "{\"filter\":[]}" 194 | } 195 | } 196 | }, 197 | { 198 | "_id": "extracted-location", 199 | "_type": "visualization", 200 | "_source": { 201 | "title": "extracted location", 202 | "visState": "{\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"ext_location\",\"autoPrecision\":true,\"precision\":2}}],\"listeners\":{}}", 203 | "uiStateJSON": "{}", 204 | "description": "", 205 | "savedSearchId": "location", 206 | "version": 1, 207 | "kibanaSavedObjectMeta": { 208 | "searchSourceJSON": "{\"filter\":[]}" 209 | } 210 | } 211 | }, 212 | { 213 | "_id": "notice-note", 214 | "_type": "visualization", 215 | "_source": { 216 | "title": "notice note", 217 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"ts\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"note\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"type\":\"area\"}", 218 | "uiStateJSON": "{}", 219 | "description": "", 220 | "savedSearchId": "notice", 221 | "version": 1, 222 | "kibanaSavedObjectMeta": { 223 | "searchSourceJSON": "{\"filter\":[]}" 224 | } 225 | } 226 | }, 227 | { 228 | "_id": "unknown-resp-host", 229 | "_type": "visualization", 230 | "_source": { 231 | "title": "unknown resp host", 232 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_resp_h\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 233 | "uiStateJSON": "{}", 234 | "description": "", 235 | "savedSearchId": "undetected-connection", 236 | "version": 1, 237 | "kibanaSavedObjectMeta": { 238 | "searchSourceJSON": "{\"filter\":[]}" 239 | } 240 | } 241 | }, 242 | { 243 | "_id": "weird-resp-host", 244 | "_type": "visualization", 245 | "_source": { 246 | "title": "weird resp host", 247 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_resp_h\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 248 | "uiStateJSON": "{}", 249 | "description": "", 250 | "savedSearchId": "weird", 251 | "version": 1, 252 | "kibanaSavedObjectMeta": { 253 | "searchSourceJSON": "{\"filter\":[]}" 254 | } 255 | } 256 | }, 257 | { 258 | "_id": "weird-orig-host", 259 | "_type": "visualization", 260 | "_source": { 261 | "title": "weird orig host", 262 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_orig_h\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 263 | "uiStateJSON": "{}", 264 | "description": "", 265 | "savedSearchId": "weird", 266 | "version": 1, 267 | "kibanaSavedObjectMeta": { 268 | "searchSourceJSON": "{\"filter\":[]}" 269 | } 270 | } 271 | }, 272 | { 273 | "_id": "sum-orig-ip-bytes", 274 | "_type": "visualization", 275 | "_source": { 276 | "title": "sum orig ip bytes", 277 | "visState": "{\"type\":\"metric\",\"params\":{\"fontSize\":\"24\"},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"orig_ip_bytes\"}}],\"listeners\":{}}", 278 | "uiStateJSON": "{}", 279 | "description": "", 280 | "savedSearchId": "connection", 281 | "version": 1, 282 | "kibanaSavedObjectMeta": { 283 | "searchSourceJSON": "{\"filter\":[]}" 284 | } 285 | } 286 | }, 287 | { 288 | "_id": "service-duration", 289 | "_type": "visualization", 290 | "_source": { 291 | "title": "service duration", 292 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"service\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 293 | "uiStateJSON": "{}", 294 | "description": "", 295 | "savedSearchId": "connection", 296 | "version": 1, 297 | "kibanaSavedObjectMeta": { 298 | "searchSourceJSON": "{\"filter\":[]}" 299 | } 300 | } 301 | }, 302 | { 303 | "_id": "unknown-service-proto-bytes", 304 | "_type": "visualization", 305 | "_source": { 306 | "title": "unknown service proto bytes", 307 | "visState": "{\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"orig_ip_bytes\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"proto\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"resp_ip_bytes\"}}],\"listeners\":{}}", 308 | "uiStateJSON": "{}", 309 | "description": "", 310 | "savedSearchId": "undetected-connection", 311 | "version": 1, 312 | "kibanaSavedObjectMeta": { 313 | "searchSourceJSON": "{\"filter\":[]}" 314 | } 315 | } 316 | }, 317 | { 318 | "_id": "sum-resp-ip-bytes", 319 | "_type": "visualization", 320 | "_source": { 321 | "title": "sum resp ip bytes", 322 | "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{\"field\":\"resp_ip_bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"fontSize\":\"24\"},\"type\":\"metric\"}", 323 | "uiStateJSON": "{}", 324 | "description": "", 325 | "savedSearchId": "connection", 326 | "version": 1, 327 | "kibanaSavedObjectMeta": { 328 | "searchSourceJSON": "{\"filter\":[]}" 329 | } 330 | } 331 | }, 332 | { 333 | "_id": "ssl-cipher", 334 | "_type": "visualization", 335 | "_source": { 336 | "title": "ssl cipher", 337 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"cipher\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 338 | "uiStateJSON": "{}", 339 | "description": "", 340 | "savedSearchId": "ssl", 341 | "version": 1, 342 | "kibanaSavedObjectMeta": { 343 | "searchSourceJSON": "{\"filter\":[]}" 344 | } 345 | } 346 | }, 347 | { 348 | "_id": "ip-port-table", 349 | "_type": "visualization", 350 | "_source": { 351 | "title": "ip port table", 352 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_orig_h\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"id_orig_p\",\"size\":65500,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 353 | "uiStateJSON": "{}", 354 | "description": "", 355 | "savedSearchId": "connection", 356 | "version": 1, 357 | "kibanaSavedObjectMeta": { 358 | "searchSourceJSON": "{\"filter\":[]}" 359 | } 360 | } 361 | }, 362 | { 363 | "_id": "http-user_agent", 364 | "_type": "visualization", 365 | "_source": { 366 | "title": "http user_agent", 367 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user_agent\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 368 | "uiStateJSON": "{}", 369 | "description": "", 370 | "savedSearchId": "http", 371 | "version": 1, 372 | "kibanaSavedObjectMeta": { 373 | "searchSourceJSON": "{\"filter\":[]}" 374 | } 375 | } 376 | }, 377 | { 378 | "_id": "ssl-version", 379 | "_type": "visualization", 380 | "_source": { 381 | "title": "ssl version", 382 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"version\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 383 | "uiStateJSON": "{}", 384 | "description": "", 385 | "savedSearchId": "ssl", 386 | "version": 1, 387 | "kibanaSavedObjectMeta": { 388 | "searchSourceJSON": "{\"filter\":[]}" 389 | } 390 | } 391 | }, 392 | { 393 | "_id": "ssl-server-name", 394 | "_type": "visualization", 395 | "_source": { 396 | "title": "ssl server name", 397 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"server_name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 398 | "uiStateJSON": "{}", 399 | "description": "", 400 | "savedSearchId": "ssl", 401 | "version": 1, 402 | "kibanaSavedObjectMeta": { 403 | "searchSourceJSON": "{\"filter\":[]}" 404 | } 405 | } 406 | }, 407 | { 408 | "_id": "dns-answer", 409 | "_type": "visualization", 410 | "_source": { 411 | "title": "dns answer", 412 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 413 | "uiStateJSON": "{}", 414 | "description": "", 415 | "savedSearchId": "dns-conn", 416 | "version": 1, 417 | "kibanaSavedObjectMeta": { 418 | "searchSourceJSON": "{\"filter\":[]}" 419 | } 420 | } 421 | }, 422 | { 423 | "_id": "connection-state", 424 | "_type": "visualization", 425 | "_source": { 426 | "title": "connection state", 427 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"conn_state\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 428 | "uiStateJSON": "{}", 429 | "description": "", 430 | "savedSearchId": "connection", 431 | "version": 1, 432 | "kibanaSavedObjectMeta": { 433 | "searchSourceJSON": "{\"filter\":[]}" 434 | } 435 | } 436 | }, 437 | { 438 | "_id": "intel-indicator-type", 439 | "_type": "visualization", 440 | "_source": { 441 | "title": "intel indicator type", 442 | "visState": "{\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"seen_indicator_type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 443 | "uiStateJSON": "{}", 444 | "description": "", 445 | "savedSearchId": "intel", 446 | "version": 1, 447 | "kibanaSavedObjectMeta": { 448 | "searchSourceJSON": "{\"filter\":[]}" 449 | } 450 | } 451 | }, 452 | { 453 | "_id": "intel-seen-where", 454 | "_type": "visualization", 455 | "_source": { 456 | "title": "intel seen where", 457 | "visState": "{\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"seen_where\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 458 | "uiStateJSON": "{}", 459 | "description": "", 460 | "savedSearchId": "intel", 461 | "version": 1, 462 | "kibanaSavedObjectMeta": { 463 | "searchSourceJSON": "{\"filter\":[]}" 464 | } 465 | } 466 | }, 467 | { 468 | "_id": "intel-sources", 469 | "_type": "visualization", 470 | "_source": { 471 | "title": "intel sources", 472 | "visState": "{\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"sources\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 473 | "uiStateJSON": "{}", 474 | "description": "", 475 | "savedSearchId": "intel", 476 | "version": 1, 477 | "kibanaSavedObjectMeta": { 478 | "searchSourceJSON": "{\"filter\":[]}" 479 | } 480 | } 481 | }, 482 | { 483 | "_id": "weird-name", 484 | "_type": "visualization", 485 | "_source": { 486 | "title": "weird name", 487 | "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"smoothLines\":true,\"scale\":\"linear\",\"interpolate\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"ts\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 488 | "uiStateJSON": "{}", 489 | "description": "", 490 | "savedSearchId": "weird", 491 | "version": 1, 492 | "kibanaSavedObjectMeta": { 493 | "searchSourceJSON": "{\"filter\":[]}" 494 | } 495 | } 496 | }, 497 | { 498 | "_id": "http-host", 499 | "_type": "visualization", 500 | "_source": { 501 | "title": "http host", 502 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 503 | "uiStateJSON": "{}", 504 | "description": "", 505 | "savedSearchId": "http", 506 | "version": 1, 507 | "kibanaSavedObjectMeta": { 508 | "searchSourceJSON": "{\"filter\":[]}" 509 | } 510 | } 511 | }, 512 | { 513 | "_id": "http-uri", 514 | "_type": "visualization", 515 | "_source": { 516 | "title": "http uri", 517 | "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 518 | "uiStateJSON": "{}", 519 | "description": "", 520 | "savedSearchId": "http", 521 | "version": 1, 522 | "kibanaSavedObjectMeta": { 523 | "searchSourceJSON": "{\"filter\":[]}" 524 | } 525 | } 526 | } 527 | ] 528 | -------------------------------------------------------------------------------- /scripts/packets-consumer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from select import select 3 | import pybroker 4 | 5 | def get_fields(fields, n_fields): 6 | new_fields = [] 7 | for n in range(n_fields): 8 | f = fields[n] 9 | if f.valid(): 10 | new_fields.append(f.get()) 11 | else: 12 | new_fields.append(None) 13 | return new_fields 14 | 15 | def ppkt(p): 16 | rec = p.as_record() 17 | rec = ip.as_record() 18 | fields = rec.fields() 19 | fields = rec.fields() 20 | fields = [f for f in fields] 21 | print fields 22 | 23 | def pmsg(msg_type, obj): 24 | msg_type = msg_type.as_string() 25 | pobj = { 26 | "bro_packet": ppkt, 27 | }[msg_type] 28 | # print "%s: " % msg_type, 29 | pobj(obj) 30 | 31 | def main(): 32 | epc = pybroker.endpoint("connector") 33 | epc.peer("127.0.0.1", 9999, 1) 34 | ocsq = epc.outgoing_connection_status() 35 | select([ocsq.fd()], [], []) 36 | conns = ocsq.want_pop() 37 | for m in conns: 38 | print("outgoing connection", m.peer_name, m.status) 39 | 40 | mql = pybroker.message_queue("bro/event", epc) 41 | 42 | while True: 43 | select([mql.fd()], [], []) 44 | msgs = mql.want_pop() 45 | for m in msgs: 46 | pmsg(*m) 47 | 48 | main() 49 | -------------------------------------------------------------------------------- /scripts/remove-mapping.sh: -------------------------------------------------------------------------------- 1 | curl -XDELETE elasticsearch:9200/_template/fixstrings_bro 2 | -------------------------------------------------------------------------------- /scripts/start-elastic.sh: -------------------------------------------------------------------------------- 1 | docker create -v /usr/share/elasticsearch/data --name elastic-data-master danielguerra/empty-elastic-data /bin/true 2 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node01 danielguerra/empty-elastic-data /bin/true 3 | docker create -v /usr/share/elasticsearch/data --name elastic-data-node02 danielguerra/empty-elastic-data /bin/true 4 | docker run -d --volumes-from elastic-data-master --hostname=elasticsearch-master --name elasticsearch-master elasticsearch -Des.network.bind_host=elasticsearch-master --cluster.name=bro --node.name=elasticsearch-master --discovery.zen.ping.multicast.enabled=false --network.host=elasticsearch-master 5 | docker run -d --volumes-from elastic-data-node01 --hostname=elasticsearch-node01 --name elasticsearch-node01 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node01 --cluster.name=bro --node.name=elasticsearch-node01 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node01 6 | docker run -d --volumes-from elastic-data-node02 --hostname=elasticsearch-node02 --name elasticsearch-node02 --link=elasticsearch-master:master elasticsearch -Des.network.bind_host=elasticsearch-node02 --cluster.name=bro --node.name=elasticsearch-node02 --discovery.zen.ping.unicast.hosts=master:9300 --network.host=elasticsearch-node02 7 | -------------------------------------------------------------------------------- /scripts/update-intel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd /tmp 3 | # mayhemic is offline ?? 4 | mal-dnssearch -M mayhemic -p | mal-dns2bro -n true -T dns -s mayhemic-mallware > /usr/local/bro/share/bro/bro-extra/mayhemic.intel 5 | mal-dnssearch -M ciarmy -p | mal-dns2bro -n true -T ip -s ciarmy-badguys > /usr/local/bro/share/bro/bro-extra/ciarmy.intel 6 | mal-dnssearch -M malips -p | mal-dns2bro -n true -T ip -s malips > /usr/local/bro/share/bro/bro-extra/malips.intel 7 | mal-dnssearch -M botcc -p | mal-dns2bro -n true -T ip -s botcc-troyan > /usr/local/bro/share/bro/bro-extra/botcc.intel 8 | mal-dnssearch -M malhosts -p | mal-dns2bro -n true -T dns -s malhosts-dns > /usr/local/bro/share/bro/bro-extra/malhosts.intel 9 | mal-dnssearch -M mandiant -p | mal-dns2bro -n true -T dns -s mandiant-mal-dns > /usr/local/bro/share/bro/bro-extra/mandiant.intel 10 | mal-dnssearch -M snort -p | mal-dns2bro -n true -T ip -s snort-ip-filter > /usr/local/bro/share/bro/bro-extra/snort.intel 11 | mal-dnssearch -M alienvault -p | mal-dns2bro -n true -T ip -s alienvault-scanhost > /usr/local/bro/share/bro/bro-extra/alienvault.intel 12 | mal-dnssearch -M et_ips -p | mal-dns2bro -T ip -n true -s et_ps_compromised > /usr/local/bro/share/bro/bro-extra/compromised.intel 13 | mal-dnssearch -M snort -p | mal-dns2bro -T ip -s snort-ip-filter > /usr/local/bro/share/bro/bro-extra/snort.intel 14 | /usr/bin/python /scripts/update_tor_serverlist.py && mal-dns2bro -T ip -n true -f /tmp/tor_servers.txt -s tor-server > /usr/local/bro/share/bro/bro-extra/tor.intel 15 | -------------------------------------------------------------------------------- /scripts/update_tor_serverlist.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # 4 | import urllib 5 | 6 | TOR_SERVERLIST_URL = "http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv" 7 | SERVERS_FILE = "/tmp/tor_servers.txt" 8 | 9 | servers = set() 10 | 11 | 12 | def update_server_list(): 13 | f = urllib.urlopen(TOR_SERVERLIST_URL) 14 | for server in f.readlines(): 15 | servers.add(server.rstrip()) 16 | f.close() 17 | 18 | 19 | def write_server_list(): 20 | if len(servers) < 1: 21 | sys.exit() 22 | 23 | sf = open(SERVERS_FILE, "w") 24 | 25 | for server in servers: 26 | sf.write("%s\n" % server) 27 | 28 | sf.close() 29 | 30 | 31 | def main(): 32 | update_server_list() 33 | write_server_list() 34 | 35 | 36 | if __name__ == "__main__": 37 | main() 38 | -------------------------------------------------------------------------------- /supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | nodaemon=true 3 | 4 | [program:xinetd] 5 | command=/usr/sbin/xinetd -dontfork 6 | user=root 7 | autorestart=true 8 | priority=100 9 | 10 | [program:apache2] 11 | command=/etc/init.d/apache2 start 12 | user=root 13 | priority=200 14 | -------------------------------------------------------------------------------- /xinetd/bro: -------------------------------------------------------------------------------- 1 | service bro 2 | { 3 | socket_type = stream 4 | wait = no 5 | user = root 6 | group = root 7 | server = /usr/local/bro/bin/bro 8 | server_args = -r - 9 | instances = 300 10 | } 11 | -------------------------------------------------------------------------------- /xinetd/bro-amqp: -------------------------------------------------------------------------------- 1 | service bro 2 | { 3 | socket_type = stream 4 | wait = no 5 | user = root 6 | group = root 7 | server = /scripts/bro-amqp.sh 8 | server_args = AMQPCONF 9 | instances = 300 10 | } 11 | -------------------------------------------------------------------------------- /xinetd/bro-forensic: -------------------------------------------------------------------------------- 1 | service bro 2 | { 3 | socket_type = stream 4 | wait = no 5 | user = root 6 | group = root 7 | server = /scripts/bro-forensic.sh 8 | server_args = FORENSICCONF 9 | instances = 300 10 | } 11 | -------------------------------------------------------------------------------- /xinetd/bro-forensic-crc: -------------------------------------------------------------------------------- 1 | service bro 2 | { 3 | socket_type = stream 4 | wait = no 5 | user = root 6 | group = root 7 | server = /scripts/bro-forensic-crc.sh 8 | server_args = FORENSICCONF 9 | instances = 300 10 | } 11 | -------------------------------------------------------------------------------- /xinetd/bro-splunk: -------------------------------------------------------------------------------- 1 | service bro 2 | { 3 | socket_type = stream 4 | wait = no 5 | user = root 6 | group = root 7 | server = /scripts/bro-splunk.sh 8 | server_args = SPLUNKCONF 9 | instances = 300 10 | } 11 | --------------------------------------------------------------------------------