Ubuntu下的Bro安装,并利用logstash解析bro的网络协议日志

一、安装依赖包:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

二、下载deb安装包,安装bro:

sudo gdebi Bro-*.deb

三、配置环境变量:
  
vi ~/.bashrc
然后在文件的最后添加一行命令,将Bro的命令所在文件夹加入到环境变量$PATH中,如下:
  

export PATH=/usr/local/bro/bin:$PATH

/usr/local/bro/bin是命令所在的默认文件夹

四、控制台安装:
 

A Minimal Starting Configuration

These are the basic configuration changes to make for a minimal BroControl installation that will manage a single Bro instance on the localhost:

  1. In $PREFIX/etc/node.cfg, set the right interface to monitor.

  2. In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.

  3. In $PREFIX/etc/broctl.cfg, change the MailTo email address to a desired recipient and theLogRotationInterval to a desired log archival frequency.


broctl

[BroControl] > install

[BroControl] > start

[BroControl] > stop

[BroControl] > quit


验证:

bro -v

bro version 2.3.1


日志查看:

 日志位于$PREFIX/logs/current,支持如下协议:

Log File Description Field Descriptions
conn.log TCP/UDP/ICMP connections Conn::Info
dhcp.log DHCP leases DHCP::Info
dnp3.log DNP3 requests and replies DNP3::Info
dns.log DNS activity DNS::Info
ftp.log FTP activity FTP::Info
http.log HTTP requests and replies HTTP::Info
irc.log IRC commands and responses IRC::Info
modbus.log Modbus commands and responses Modbus::Info
modbus_register_change.log Tracks changes to Modbus holding registers Modbus::MemmapInfo
radius.log RADIUS authentication attempts RADIUS::Info
smtp.log SMTP transactions SMTP::Info
snmp.log SNMP messages SNMP::Info
socks.log SOCKS proxy requests SOCKS::Info
ssh.log SSH connections SSH::Info
ssl.log SSL/TLS handshake info SSL::Info
syslog.log Syslog messages Syslog::Info
tunnel.log Tunneling protocol events Tunnel::Info


参考文献:
https://www.bro.org/sphinx-git/install/install.html
https://www.bro.org/sphinx-git/quickstart/index.html#id3

https://www.bro.org/sphinx-git/script-reference/log-files.html日志文件说明
http://www.appliednsm.com/parsing-bro-logs-with-logstash/   logstash解析bro日志


input {
  file {
    type => "BRO_httplog"
    path => "/opt/bro2/logs/current/http.log"
  }  
  file {
    type => "BRO_SSLlog"
    path => "/opt/bro2/logs/current/ssl.log"
  }
}


filter {


if [message] =~ /^#/ {
 drop {  }
} else {  


# BRO_httplog ######################
 if [type] == "BRO_httplog" {
 grok { 
match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<user_agent>(.*?))\t(?<request_body_len>(.*?))\t(?<response_body_len>(.*?))\t(?<status_code>(.*?))\t(?<status_msg>(.*?))\t(?<info_code>(.*?))\t(?<info_msg>(.*?))\t(?<filename>(.*?))\t(?<tags>(.*?))\t(?<username>(.*?))\t(?<password>(.*?))\t(?<proxied>(.*?))\t(?<orig_fuids>(.*?))\t(?<orig_mime_types>(.*?))\t(?<resp_fuids>(.*?))\t(?<resp_mime_types>(.*))" ]
 }
 }
# BRO_SSLlog ######################
 if [type] == "BRO_SSLlog" {
grok { 
 match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<version>(.*?))\t(?<cipher>(.*?))\t(?<server_name>(.*?))\t(?<session_id>(.*?))\t(?<subject>(.*?))\t(?<issuer_subject>(.*?))\t(?<not_valid_before>(.*?))\t(?<not_valid_after>(.*?))\t(?<last_alert>(.*?))\t(?<client_subject>(.*?))\t(?<client_issuer_subject>(.*?))\t(?<cert_hash>(.*?))\t(?<validation_status>(.*))" ]
}
 }
}
}

output {
elasticsearch { embedded => true }
}

  

你可能感兴趣的:(logstash,bro)