GitHub user nickwallen opened a pull request:
https://github.com/apache/incubator-metron/pull/545
METRON-883 Capture Bro Plugin Enhancements from bro/bro-plugins
There are two versions of the Bro Kafka Plugin. I authored both of these
and contributed one to Metron and the other to Bro itself. The original goal
of doing this was to eventually deprecate the version maintained in Metron, so
that the wider community of Bro could use and support the plugin.
Since this time, Bro has created a plugin management mechanism and is no
longer wanting to host plugins. They are asking individual maintainers to
create their own Github repositories to maintain these plugins. This will
require us to continue to support the Bro Kafka Plugin in Metron.
I had contributed additional enhancements to the version in
bro/bro-plugins, which I would like to contribute back to Metron proper, since
that is now the version that will live on. The enhancements address a
potential thread-safety issue and also allows data from Bro to be directed to
separate Kafka topics.
This will enable some follow-on work to package the plugin using Bro's
package mechanism.
Validation
----------
The following steps can be used to validate the PR.
1. Create a working directory.
```
mkdir metron-temp
cd metron-temp
```
1. Launch a CentOS host.
```
vagrant init bento/centos-6.7
vagrant up
vagrant ssh
```
1. Install some dependencies.
```
sudo su -
yum -y install epel-release
yum -y install "@Development tools" java-1.8.0-openjdk cmake
libpcap-devel openssl-devel python-devel
```
1. Create a new Yum repository by creating the file
`/etc/yum.repos.d/HDP.repo` with the following content. This will allow us to
install Kafka.
```
[HDP-2.5]
name=HDP-2.5
baseurl=http://public-repo-1.hortonworks.com/HDP/centos7/2.x/updates/2.5.3.0
path=/
enabled=1
gpgcheck=0
```
1. Install and start Kafka.
```
yum -y install kafka
export PATH=$PATH:/usr/hdp/current/kafka-broker/bin
zookeeper-server start
kafka start
```
1. Install Librdkafka.
```
wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O -
| tar -xz
cd librdkafka-0.9.4/
./configure --prefix=/usr
make
make install
```
1. Add Librdkafka to our default load path.
```
echo "/usr/lib" >> /etc/ld.so.conf.d/bro-plugin.conf
ldconfig -v
```
1. Build and install Bro.
```
yum -y install cmake libpcap-devel openssl-devel python-devel
wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz -O - | tar
-xz
cd bro-2.4.1
./configure --prefix=/usr
make
make install
```
1. Fetch the code from this PR.
```
cd ~
git clone https://github.com/apache/incubator-metron
cd incubator-metron
git pull origin pull/XXX/head
```
1. Install the Bro Plugin.
```
cd incubator-metron/metron-sensors/bro-plugin-kafka
./configure --bro-dist=/root/bro-2.4.1
--install-root=/usr/lib/bro/plugins/ --with-librdkafka=/usr
make
make install
```
1. Add the following to `/usr/share/bro/site/local.bro`
```
@load Bro/Kafka/logs-to-kafka.bro
redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG);
redef Kafka::topic_name = "bro";
redef Kafka::tag_json = T;
redef Kafka::kafka_conf = table( ["metadata.broker.list"] =
"localhost:9092" );
```
1. Create a virtual interface called `tap0` to listen on.
```
yum install -y tunctl
tunctl -p
ifconfig tap0 10.0.0.1 up
ip link set tap0 promisc on
```
1. Configure Bro to listen on virtual interface.
```
sed -i 's/eth0/tap0/g' /usr/etc/node.cfg
```
1. Create a Kafka topic called `bro`.
```
kafka-topics.sh --zookeeper localhost:2181 --create --topic bro
--partitions 1 --replication-factor 1
```
1. Make sure the Bro changes are installed and start Bro.
```
broctl deploy
```
1. Grab an example pcap file and replay some packet data through `tap0`.
Keep this running in a separate session.
```
wget
https://github.com/apache/incubator-metron/raw/master/metron-deployment/roles/sensor-test-mode/files/example.pcap
yum -y install tcpreplay
tcpreplay -i tap0 --loop=0 --stats=5 example.pcap
```
1. Ensure that data is hitting the `bro` topic in Kafka.
```
[root@localhost ~]# kafka-console-consumer.sh --zookeeper localhost:2181
--topic bro --from-beginning
OpenJDK 64-Bit Server VM warning: If the number of processors is
expected to increase from one, then you should configure the number of parallel
GC threads appropriately using -XX:ParallelGCThreads=N
{metadata.broker.list=localhost:9092, request.timeout.ms=30000,
client.id=console-consumer-64669, security.protocol=PLAINTEXT}
{"dns":
{"ts":1493057575.978069,"uid":"CVttjf9fz4081JAwd","id.orig_h":"10.0.2.15","id.orig_p":36214,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":19156,"query":"github.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["192.30.253.113","192.30.253.112"],"TTLs":[41.0,41.0],"rejected":false}}
{"dns":
{"ts":1493057576.083925,"uid":"CRcPNQ18zLEP8lJ7Hb","id.orig_h":"10.0.2.15","id.orig_p":51495,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":63624,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}}
{"dns":
{"ts":1493057576.567493,"uid":"CR0XXs39ZZ4QSthcU6","id.orig_h":"10.0.2.15","id.orig_p":50301,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":29346,"query":"github.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["192.30.253.113","192.30.253.112"],"TTLs":[48.0,48.0],"rejected":false}}
{"dns":
{"ts":1493057576.613803,"uid":"C7bZL53vkLeoXclrO4","id.orig_h":"10.0.2.15","id.orig_p":40789,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":28614,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}}
```
## Pull Request Checklist
- [X] Is there a JIRA ticket associated with this PR? If not one needs to
be created at [Metron
Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [X] Does your PR title start with METRON-XXXX where XXXX is the JIRA
number you are trying to resolve? Pay particular attention to the hyphen "-"
character.
- [X] Has your PR been rebased against the latest commit within the target
branch (typically master)?
- [X] Have you included steps to reproduce the behavior or problem that is
being changed or addressed?
- [X] Have you included steps or a guide to how the change may be verified
and tested manually?
- [X] Have you ensured that the full suite of tests and checks have been
executed in the root incubating-metron folder via:
- [X] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [X] Have you verified the basic functionality of the build by building
and running locally with Vagrant full-dev environment or the equivalent?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/nickwallen/incubator-metron METRON-883
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/545.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #545
----
commit 2249b31211dd5856a9ae63fa03623091aeb5a983
Author: Nick Allen <n...@nickallen.org>
Date: 2017-04-24T17:35:32Z
METRON-883 Capture Bro Plugin Enhancements from bro/bro-plugins
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
