一、安装依赖包:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev二、下载deb安装包,安装bro:
sudo gdebi Bro-*.deb 三、配置环境变量:
vi ~/.bashrc
然后在文件的最后添加一行命令,将Bro的命令所在文件夹加入到环境变量$PATH中,如下:
export PATH=/usr/local/bro/bin:$PATH /usr/local/bro/bin是命令所在的默认文件夹
四、控制台安装:
A Minimal Starting Configuration
These are the basic configuration changes to make for a minimal BroControl installation that will manage a single Bro instance on the localhost:
-
In $PREFIX/etc/node.cfg, set the right interface to monitor.
-
In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.
-
In $PREFIX/etc/broctl.cfg, change the MailTo email address to a desired recipient and theLogRotationInterval to a desired log archival frequency.
broctl
[BroControl] > install
[BroControl] > start
[BroControl] > stop
[BroControl] > quit
验证:
bro -v
bro version 2.3.1
日志查看:
日志位于$PREFIX/logs/current,支持如下协议:
| Log File | Description | Field Descriptions |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | Conn::Info |
| dhcp.log | DHCP leases | DHCP::Info |
| dnp3.log | DNP3 requests and replies | DNP3::Info |
| dns.log | DNS activity | DNS::Info |
| ftp.log | FTP activity | FTP::Info |
| http.log | HTTP requests and replies | HTTP::Info |
| irc.log | IRC commands and responses | IRC::Info |
| modbus.log | Modbus commands and responses | Modbus::Info |
| modbus_register_change.log | Tracks changes to Modbus holding registers | Modbus::MemmapInfo |
| radius.log | RADIUS authentication attempts | RADIUS::Info |
| smtp.log | SMTP transactions | SMTP::Info |
| snmp.log | SNMP messages | SNMP::Info |
| socks.log | SOCKS proxy requests | SOCKS::Info |
| ssh.log | SSH connections | SSH::Info |
| ssl.log | SSL/TLS handshake info | SSL::Info |
| syslog.log | Syslog messages | Syslog::Info |
| tunnel.log | Tunneling protocol events | Tunnel::Info |
参考文献:
https://www.bro.org/sphinx-git/install/install.html
https://www.bro.org/sphinx-git/quickstart/index.html#id3
https://www.bro.org/sphinx-git/script-reference/log-files.html日志文件说明
http://www.appliednsm.com/parsing-bro-logs-with-logstash/ logstash解析bro日志
input {
file {
type => "BRO_httplog"
path => "/opt/bro2/logs/current/http.log"
}
file {
type => "BRO_SSLlog"
path => "/opt/bro2/logs/current/ssl.log"
}
}
filter {
if [message] =~ /^#/ {
drop { }
} else {
# BRO_httplog ######################
if [type] == "BRO_httplog" {
grok {
match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<user_agent>(.*?))\t(?<request_body_len>(.*?))\t(?<response_body_len>(.*?))\t(?<status_code>(.*?))\t(?<status_msg>(.*?))\t(?<info_code>(.*?))\t(?<info_msg>(.*?))\t(?<filename>(.*?))\t(?<tags>(.*?))\t(?<username>(.*?))\t(?<password>(.*?))\t(?<proxied>(.*?))\t(?<orig_fuids>(.*?))\t(?<orig_mime_types>(.*?))\t(?<resp_fuids>(.*?))\t(?<resp_mime_types>(.*))" ]
}
}
# BRO_SSLlog ######################
if [type] == "BRO_SSLlog" {
grok {
match => [ "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<version>(.*?))\t(?<cipher>(.*?))\t(?<server_name>(.*?))\t(?<session_id>(.*?))\t(?<subject>(.*?))\t(?<issuer_subject>(.*?))\t(?<not_valid_before>(.*?))\t(?<not_valid_after>(.*?))\t(?<last_alert>(.*?))\t(?<client_subject>(.*?))\t(?<client_issuer_subject>(.*?))\t(?<cert_hash>(.*?))\t(?<validation_status>(.*))" ]
}
}
}
}
output {
elasticsearch { embedded => true }
}