GitHub user JonZeolla reopened a pull request:
https://github.com/apache/metron/pull/586
METRON-508 Expand Elasticsearch templates to support the standard bro logs
## Contributor Comments
This PR makes it easier for someone with an existing bro install to send
some of their log files into Metron, based off of a combination of the [bro
documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and
a fresh install of bro 2.5. There are future plans to expand on this via
[METRON-518](https://issues.apache.org/jira/browse/METRON-518) and
[METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically,
this attempts to provide initial support the default-on fields of the following
logs:
-
[Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info)
-
[DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info)
-
[FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info)
-
[Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info)
-
[CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo)
-
[SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info)
-
[SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info)
-
[Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info)
-
[Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info)
-
[DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info)
-
[SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info)
-
[Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info)
-
[Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info)
-
[X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info)
-
[DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo)
## Testing
1. Create a working directory and pull in this PR
```
mkdir ~/metron-508
git clone https://github.com/apache/metron ~/metron-508/metron
cd ~/metron-508/metron
git remote add jonzeolla https://github.com/jonzeolla/metron
git pull jonzeolla METRON-508
```
1. Modify
[this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20)
to remove `sensors,` (to spin up the real sensors).
```
sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/"
metron-deployment/vagrant/full-dev-platform/Vagrantfile
```
1. Start up full-dev.
```
cd metron-deployment/vagrant/full-dev-platform
vagrant up
```
1. Set up the environment in full-dev.
```
vagrant ssh
sudo su -
export PATH=$PATH:/usr/local/bro/bin
service monit stop && service sensor-stubs stop bro && broctl stop
yum -y install jq wireshark
```
1. Configure kafka in local.bro.
```
sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send =
set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG,
SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG,
Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/'
/usr/local/bro/share/bro/site/local.bro
echo "redef Kafka::debug = \"all\";" >>
/usr/local/bro/share/bro/site/local.bro
echo "redef Known::cert_tracking = ALL_HOSTS;" >>
/usr/local/bro/share/bro/site/local.bro
echo "redef Software::asset_tracking = ALL_HOSTS;" >>
/usr/local/bro/share/bro/site/local.bro
sed -i '86 a @load
policy/protocols/dhcp/known-devices-and-hostnames.bro'
/usr/local/bro/share/bro/site/local.bro
```
1. Monitor the bro kafka topic
```
# Open a new terminal
cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform
vagrant ssh
sudo su -
export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin
kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro
```
1. Monitor the storm logs.
```
# Open a new terminal
cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform
vagrant ssh
sudo su -
export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin
# Look at the storm logs (The "failed to parse" errors for ip_src_addr
and ip_dst_addr are expected, and should be addressed as a part of METRON-939)
tail -f /var/log/storm/workers-artifacts/indexing-*/*/worker.log | grep
-i "org.elasticsearch.index.mapper.MapperParsingException: failed to parse"
# You may want to evaluate worker.log for other errors, but the prior
command is helpful to cut through some of the failed indexing of IPv6 addresses
```
1. Run bro against some public pcaps.
```
# In the first of your three terminals
# These are kept separate so that the flat file log output won't stomp
the prior ones, for ingest validation
mkdir -p ~/brotmp/nitroba ~/brotmp/example-traffic ~/brotmp/ssh
~/brotmp/ftp ~/brotmp/radius
wget https://www.bro.org/static/traces/exercise-traffic.pcap -O
~/brotmp/example-traffic/exercise-traffic.pcap
wget
http://downloads.digitalcorpora.org/corpora/network-packet-dumps/2008-nitroba/nitroba.pcap
-O ~/brotmp/nitroba/nitroba.pcap
wget https://www.bro.org/static/traces/ssh.pcap -O ~/brotmp/ssh/ssh.pcap
wget
https://github.com/markofu/pcaps/blob/master/PracticalPacketAnalysis/ppa-capture-files/ftp.pcap?raw=true
-O ~/brotmp/ftp/ftp.pcap
wget
https://github.com/EmpowerSecurityAcademy/wireshark/blob/master/radius_localhost.pcapng?raw=true
-O ~/brotmp/radius/radius_localhost.pcapng
cd ~/brotmp/example-traffic
bro -r exercise-traffic.pcap /usr/local/bro/share/bro/site/local.bro -C
cd ~/brotmp/nitroba
bro -r nitroba.pcap /usr/local/bro/share/bro/site/local.bro -C
cd ~/brotmp/ssh
bro -r ssh.pcap /usr/local/bro/share/bro/site/local.bro -C
cd ~/brotmp/ftp
bro -r ftp.pcap /usr/local/bro/share/bro/site/local.bro -C
cd ~/brotmp/radius
editcap -F libpcap radius_localhost.pcapng radius_localhost.pcap
bro -r radius_localhost.pcap /usr/local/bro/share/bro/site/local.bro -C
```
1. Validate that terminals 2 and 3 don't have any errors that you don't
expect.
1. Verify proper indexing in ES and availability in kibana.
```
# Check around and make sure things look okay
declare -a exists notexists; for protocol in http dns conn dpd dhcp ftp
ssh ssl smtp radius weird files notice software known_certs x509 known_devices;
do if [[ $(curl -s -XGET "node1:9200/bro*/_search?q=protocol:${protocol}" | jq
'.hits.hits') == '[]' ]]; then notexists+=" ${protocol}"; else exists+="
${protocol}"; fi; done; if [ ${#notexists[@]} -ne 0 ]; then echo -e
"\n\n\033[0mThe following do exist in ES: ${exists[@]}\n\033[0;31mThe following
do NOT exist in ES: ${notexists[@]}\033[0m"; else echo 'All of the log types
are in ES! Success!'; fi; unset exists notexists
# Check Kibana. For example:
http://node1:5000/app/kibana#/visualize/create?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-15y,mode:quick,to:now))&_a=(filters:!(),linked:!f,query:(query_string:(analyze_wildcard:!t,query:'*')),uiState:(),vis:(aggs:!((id:'3',params:(field:protocol,orderBy:'2',size:20),schema:segment,type:terms),(id:'2',schema:metric,type:count)),type:histogram))&indexPattern=bro*&type=histogram
# OPTIONAL testing
# Run `/usr/share/elasticsearch/bin/plugin install
mobz/elasticsearch-head` and look around
curl -XGET node1:9200/_cat/indices # First column should be all green
curl -XGET "node1:9200/bro*/_count" # Check the count of entries in the
bro index, you can re-run bro against specific PCAPs and watch this increase,
etc.
```
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development
Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235)
for the complete guide to follow for contributions.
Please refer also to our [Build Verification
Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview)
for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow
these guidelines and ask you to double check the following:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? If not one needs to
be created at [Metron
Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [X] Does your PR title start with METRON-XXXX where XXXX is the JIRA
number you are trying to resolve? Pay particular attention to the hyphen "-"
character.
- [X] Has your PR been rebased against the latest commit within the target
branch (typically master)?
### For code changes:
- [X] Have you included steps to reproduce the behavior or problem that is
being changed or addressed?
- [X] Have you verified the basic functionality of the build by building
and running locally with Vagrant full-dev environment or the equivalent?
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build
issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up
for your personal repository such that your branches are built there before
submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/JonZeolla/metron METRON-508
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/metron/pull/586.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #586
----
commit 28990c61fb249c286f6eaac09be33e529a9dd7f6
Author: Jon Zeolla <[email protected]>
Date: 2017-05-12T13:31:32Z
METRON-508 Expand Elasticsearch templates to support the standard bro logs
commit 04a17479ff2903b0755ce3ada0c4425b387b3c1e
Author: Jon Zeolla <[email protected]>
Date: 2017-05-14T15:42:46Z
First pass at updating the integration tests
commit 314eb285f40e6de82bb64db032d60fc461fcefec
Author: Jon Zeolla <[email protected]>
Date: 2017-05-16T20:53:07Z
Add Known Devices support (leverages DHCP client IDs)
commit a6e7b8fbe8e1723a8ab57f4283e7c93f3d7d5080
Author: Jon Zeolla <[email protected]>
Date: 2017-05-16T20:53:38Z
Fix failed to parse [trans_id] error in ES (Numeric value (X) out of range
of int)
commit 3efad3494599007c9507bd21db6b7585ad002d0c
Author: Jon Zeolla <[email protected]>
Date: 2017-05-20T02:36:10Z
Comment change
commit 121ec28df0e2ed933210b0737e002420d54f9f17
Author: Jon Zeolla <[email protected]>
Date: 2017-05-31T00:44:00Z
Brief Multiline transformation
commit cbfad879ab227ff6c780585f9113cd0d356b75ce
Author: Jon Zeolla <[email protected]>
Date: 2017-06-01T13:34:10Z
Semicolons are hard
commit a1384c0561ac3605150bb59be801a4d4efcb2f21
Author: Jon Zeolla <[email protected]>
Date: 2017-06-01T15:39:56Z
I wish I had more time to work on this
commit ee84084d164a7b0a5cf69d600dae786007ef9ffe
Author: Jon Zeolla <[email protected]>
Date: 2017-06-01T18:20:44Z
Add more multiline
commit 9776cb266bced38837e38b250c65177c2839ce7f
Author: Jon Zeolla <[email protected]>
Date: 2017-06-19T14:31:27Z
Finish multiline work
commit bc9c82654f4aabe1f04ef5eaf066290da22ce0ba
Author: Jon Zeolla <[email protected]>
Date: 2017-06-19T14:57:37Z
Merge branch 'master' of https://github.com/jonzeolla/metron into METRON-508
commit 7e761480c9749d67acfa7de538f54eee96dcba05
Author: Jon Zeolla <[email protected]>
Date: 2017-06-19T15:32:37Z
Fix bro test - missing rawMessageMap
commit 46892fc7cfd8cc05aabbda7e0242370abaddca4f
Author: Jon Zeolla <[email protected]>
Date: 2017-06-21T12:32:33Z
Merge branch 'master' of https://github.com/apache/metron into METRON-508
commit eb64dafcd681cc206eb453cf56af6a9450b7739f
Author: Jon Zeolla <[email protected]>
Date: 2017-06-21T15:53:29Z
First run at documentation - still need to address TODOs
commit 9cff1a4d8fba3aaf11dea92ad35115bde5238125
Author: Jon Zeolla <[email protected]>
Date: 2017-06-21T15:56:59Z
Fix tab/space inconsistency
commit 9f66f49dad1fc4a0414287728c4c8d604c83c237
Author: Jon Zeolla <[email protected]>
Date: 2017-06-22T18:31:50Z
'Final' cleanup
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
