Welcome!

Blog Feed Post

Network Security: Analyze & Search Bro IDS Logs with Elasticsearch

Intrusion detection systems generate highly valuable logs with network usage details and alerts.
They collect vast amounts of data and typically store them in structures with a large number of fields.  To make sense of so much data and to make such information actionable requires advanced analytics, alerts, and search functionality. Because of that the IDS systems and Log Management systems are a perfect match!

Nevertheless, parsing, shipping and analyzing logs could be challenging.
In this blog post we’ll show an easy way to set up for the popular trio – Bro Network Security Monitor, Logagent, and Elasticsearch – and get you started with IDS log analysis within just a few minutes!

Meet the Bro Intrusion Detection System

Bro is a powerful network analysis framework that is much different from the typical IDS you may know.

While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyberinfrastructure. Bro’s user community includes major universities, research labs, supercomputing centers, and open-science communities.

Bro has originally been developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.

Source: www.bro-ids.org

IDS systems like Bro produce vast amounts of information for network security. A simple network connection log message might contain key information for security incident post-mortem analysis, so that, along many other things, needs to be logged. One can use various existing and custom Bro IDS scripts to detect nearly any anomaly in the network from the collected data, but they have a few downsides, such as:

  • You don’t know in advance which events should be reported
  • To write a custom script you need to learn Bro scripting language and available field names for each protocol

To make our lives with Bro easier we want to make the resulting IDS logs searchable. Doing that allowed iterative, interactive, ad-hoc querying, which results in a big productivity boost for security incident post-mortems. It also lets us create  alert queries on the continuous stream of this log data, thus enabling near real-time reactions to reported issues.

This post provide the recipe for making Bro logs searchable with Elasticsearch. The idea is to configure Bro IDS to generate logs in JSON format and then use a log shipper to forward them to Elasticsearch or Logsene. We will start with some Bro IDS basics, then configure Logagent as the log shipper, and finally show the results in Logsene, a handy ELK as a Service we’ll use to avoid needing to run our own Elasticearch.



Step 1:  Get started with a few Bro IDS basics:

Install Bro on Debian/Ubuntu Linux

$ apt-get install bro 

Run Bro to capture packets on the eth0 interface

$ sudo bro -i eth0 

Note that there is no output on the console because all information is written to various log files in the current directory. Press CTRL+C to terminate Bro and run ls *.log to see the generated log files and display e.g. the connection log:

$ cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2017-01-12-13-09-36
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts
 resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1484222976.365029 C2mUt14hC9iOrC8se 192.168.1.20 62663 212.47.225.70 443 tcp - - - - OTH - - 0 d 0 0 1 494 (empty)
1484222975.423814 CDpOCg4wzHbeAbQn4 192.168.1.20 49904 148.62.3.119 443 tcp - 0.000002 0 976 OTH - - 0 d 0 0 2 1080 (empty)
1484222974.911667 C75yx91lD2bArc9CKj 192.168.1.20 56717 192.30.253.124 443 tcp - - - - OTH - - 0 a 0 0 1 52 (empty)
1484222974.852917 CQISpU3YnsqbRkLAf5 192.168.1.20 56911 192.30.253.124 443 tcp - - - - OTH - - 0 a 0 0 1 52 (empty)
1484222976.235060 Cdl9TTqFYx2fdG7Gi 192.168.1.20 51730 62.210.117.148 443 tcp - 0.097194 0 4330 OTH - - 0 ad 0 0 4 4538 (empty)
1484222975.149426 Cgw13b4NHZwoK73N41 192.168.1.20 49699 52.51.142.18 443 tcp - 0.072127 0 62 OTH - - 0 ad 0 0 2 166 (empty)
#close 2017-01-12-13-09-36

Now let’s adjust Bro log format to JSON and run Bro again

$ sudo bro -i eth0 -e 'redef LogAscii::use_json=T;' 

Check that JSON format is used

$ cat conn.log
{"ts":1484223222.732681,"uid":"Ck1oOc4AkxwRQIhe02","id.orig_h":"192.168.1.20","id.orig_p":49195,"id.resp_h":"66.216.68.35","id.resp_p":443,"proto":"tcp","duration":0.47905,"orig_bytes":0,"resp_bytes":4636,"conn_state":"OTH","missed_bytes":0,"history":"had","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":8,"resp_ip_bytes":5060,"tunnel_parents":[]}
{"ts":1484223223.436714,"uid":"CVVNxv3HfxowhGv4fb","id.orig_h":"52.22.52.138","id.orig_p":2184,"id.resp_h":"192.168.1.20","id.resp_p":65531,"proto":"tcp","conn_state":"SH","missed_bytes":0,"history":"F","orig_pkts":1,"orig_ip_bytes":52,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]}
{"ts":1484223225.144888,"uid":"CeAYWLh7tFYcbLfCi","id.orig_h":"192.168.1.20","id.orig_p":49699,"id.resp_h":"52.51.142.18","id.resp_p":443,"proto":"tcp","duration":0.081048,"orig_bytes":0,"resp_bytes":62,"conn_state":"OTH","missed_bytes":0,"history":"ad","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":2,"resp_ip_bytes":166,"tunnel_parents":[]}
{"ts":1484223222.117376,"uid":"CyPA2L31a9zA8qpVt5","id.orig_h":"192.168.1.20","id.orig_p":65387,"id.resp_h":"107.20.222.136","id.resp_p":443,"proto":"tcp","duration":0.00009,"orig_bytes":0,"resp_bytes":0,"conn_state":"SHR","missed_bytes":0,"history":"af","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":3,"resp_ip_bytes":168,"tunnel_parents":[]}

This was easy! Bro logs all info in different Bro log files like conn.log, http.log, dns.log, weird.log etc.

Step 2:  Install & Configure Logagent

Install Logagent

Install Node.js runtime including npm package manager:

curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -
sudo apt-get install -y nodejs

Install Logagent package and create a service for Logagent:

sudo npm i @sematext/logagent -g

# create logagent service, but stop it until we are done with the whole setup

sudo logagent-setup bro_ids_logs && sudo service service logagent stop

We will create the configuration for Logagent in the following steps and, once done, we’ll start the run Logagent service again.

Logagent Configuration

Having the IDS information in separate log files and in JSON makes it easy to configure a log shipper to index those logs in Elasticsearch or Logsene. Using Logagent we’ll do the following:

  1. Start Bro IDS using Logagent input-command plugin and collect all Bro logs
  2. Convert the timestamp (ts field) from Bro logs to a date and put it in the @timestamp field for Elasticsearch
  3. Configure bulk indexing for Elasticsearch

We will use Logagent input-command plugin to start Bro with Logagent. The Logagent input-command plugin can execute any command, watch the process, and even restart it if it terminates. If the command produces output on the console, Logagent will capture that output.  This way we will capture any error messages Bro outputs to console and index them to Elasticsearch as well. To capture the network event logs produced by Bro we’ll use the Logagent file input plugin. Bro always logs to files in the current directory, so we combine a few commands to start Bro, create a directory, and then run Bro in that directory. With this setup we collect the logs from the directory specified in the run command:

input:
  bro-start: 
    module: command
    # store BRO logs in /tmp/bro in JSON format
    command: mkdir /tmp/bro; cd /tmp/bro; bro -i eth0 -e 'redef LogAscii::use_json=T;'
    sourceName: bro
    restart: 1
  # read the BRO logs from the file system ...
  files:
      - '/tmp/bro/*.log'

To index logs in Elasticsearch we need a valid date for the timestamp. Bro provides a UNIX timestamp in the ts field, which needs to be converted to a JavaScript Date object with a JavaScript transform function in the Logagent parser configuration. In addition, let’s set the _type for logs based on the Bro logs file names so we can use that for filtering. For example, for all logs from /tmp/bro/dns.log we’ll use “dns” as _type. Here is the relevant parser config and the JS transform function:

parser:
  json: 
    enabled: true
    transform: !!js/function >
      function (sourceName, parsed, config) {
        var src = sourceName.split('/')
        // generate Elasticsearch _type out of the log file sourceName
        // e.g. "dns" from /tmp/bro/dns.log
        if (src && src[src.length-1]) {
        parsed._type = src[src.length-1].replace(/\.log/g,'')
        }
        // store log file path in each doc
        parsed.logSource = sourceName
        // convert Bro timestamps to JavaScript timestamps
        if (parsed.ts) {
        parsed[[email protected]'] = new Date(parsed.ts * 1000)
        }
       }

Finally, let’s define where to store logs using the Elasticsearch output plugin and, in addition, let’s activate output to the console in YAML format so we can see the logs on the console:

output:
  stdout: yaml
  es-secure-local:
    module: elasticsearch 
    url: http://localhost:9200
    index: bro_ids_logs

To ship data to Logsene and avoid having to run your own Elasticsearch cluster simply replace url and index parameters. Use the Logsene App token as index name and HTTPS so your logs are encrypted on their way to Logsene:

output:
  stdout: yaml
  es-secure-local:
    module: elasticsearch 
    url: https://logsene-receiver.sematext.com
    index: 4f70a0c7-9458-43e2-bbc5-xxxxxxxxx

After we store the whole config as bro-ids.yaml we can run Logagent with Bro to test the configuration:

$ sudo logagent --config bro-ids.yaml
Password:
2017-01-12T12:34:12.205Z pid[26732] add command to plugin list
2017-01-12T12:34:12.207Z pid[26732] init plugins
2017-01-12T12:34:12.207Z pid[26732] init plugins
2017-01-12T12:34:12.208Z pid[26732] init plugins
2017-01-12T12:34:12.208Z pid[26732] ../lib/plugins/input/stdin
2017-01-12T12:34:12.227Z pid[26732] ../lib/plugins/output/stdout
2017-01-12T12:34:12.237Z pid[26732] ../lib/plugins/input/command.js
2017-01-12T12:34:12.245Z pid[26732] ../lib/plugins/input/command.js
2017-01-12T12:34:12.248Z pid[26732] ../lib/plugins/output/elasticsearch.js
2017-01-12T12:34:12.429Z pid[26732] ../lib/plugins/input/files
2017-01-12T12:34:12.522Z pid[26732] using glob pattern: /tmp/bro/*.log
2017-01-12T12:34:12.603Z pid[26732] Watching file:/tmp/bro/conn.log from position: 85285
2017-01-12T12:34:12.604Z pid[26732] Watching file:/tmp/bro/dns.log from position: 12106
2017-01-12T12:34:12.604Z pid[26732] Watching file:/tmp/bro/files.log from position: 24284
2017-01-12T12:34:12.604Z pid[26732] Watching file:/tmp/bro/http.log from position: 10745
2017-01-12T12:34:12.605Z pid[26732] Watching file:/tmp/bro/packet_filter.log from position: 89
2017-01-12T12:34:12.605Z pid[26732] Watching file:/tmp/bro/reporter.log from position: 556
2017-01-12T12:34:12.605Z pid[26732] Watching file:/tmp/bro/ssl.log from position: 26345
2017-01-12T12:34:12.605Z pid[26732] Watching file:/tmp/bro/weird.log from position: 5299
2017-01-12T12:34:12.606Z pid[26732] Watching file:/tmp/bro/x509.log from position: 35791
ts: 1484222526.821381
uid: ChYffm3LeTFNXIvVBg
id.orig_h: 52.22.52.138
id.orig_p: 2185
id.resp_h: 192.168.1.20
id.resp_p: 59096
proto: tcp
duration: 0.110198
orig_bytes: 0
resp_bytes: 0
conn_state: OTH
missed_bytes: 0
history: HA
orig_pkts: 2
orig_ip_bytes: 112
resp_pkts: 0
resp_ip_bytes: 0
tunnel_parents: 
 (empty array)
@timestamp: Thu Jan 12 2017 13:02:06 GMT+0100 (CET)
_type: conn
logSource: /tmp/bro/conn.log

For permanent network monitoring, use the Logagent Linux (or Mac OS X) service:

sudo cp bro-ids.yml /etc/sematext/logagent.conf
sudo service logagent start

After a minute we should see Bro logs indexed in Logsene. Now we can easily search all data provided by Bro or use Kibana to create charts that provide insights about our network activity.

https://sematext.com/wp-content/uploads/2017/02/image02-300x180.png 300w, https://sematext.com/wp-content/uploads/2017/02/image02-768x461.png 768w, https://sematext.com/wp-content/uploads/2017/02/image02-1024x615.png 1024w" sizes="(max-width: 1999px) 100vw, 1999px" />
https://sematext.com/wp-content/uploads/2017/02/image01-300x143.png 300w, https://sematext.com/wp-content/uploads/2017/02/image01-768x367.png 768w, https://sematext.com/wp-content/uploads/2017/02/image01-1024x489.png 1024w" sizes="(max-width: 1999px) 100vw, 1999px" />

https://sematext.com/wp-content/uploads/2017/02/image00-300x188.png 300w, https://sematext.com/wp-content/uploads/2017/02/image00-768x480.png 768w, https://sematext.com/wp-content/uploads/2017/02/image00-1024x640.png 1024w" sizes="(max-width: 1280px) 100vw, 1280px" />

Kibana Dashboard in Logsene

Got other, better,  or more interesting Kibana dashboards and charts?  Ping @sematext or leave a comment, we’d love to see them!


Read the original blog entry...

More Stories By Sematext Blog

Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.

Latest Stories
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership abi...
The essence of cloud computing is that all consumable IT resources are delivered as services. In his session at 15th Cloud Expo, Yung Chou, Technology Evangelist at Microsoft, demonstrated the concepts and implementations of two important cloud computing deliveries: Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). He discussed from business and technical viewpoints what exactly they are, why we care, how they are different and in what ways, and the strategies for IT to transi...
After more than five years of DevOps, definitions are evolving, boundaries are expanding, ‘unicorns’ are no longer rare, enterprises are on board, and pundits are moving on. Can we now look at an evolution of DevOps? Should we? Is the foundation of DevOps ‘done’, or is there still too much left to do? What is mature, and what is still missing? What does the next 5 years of DevOps look like? In this Power Panel at DevOps Summit, moderated by DevOps Summit Conference Chair Andi Mann, panelists l...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, will discuss the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information,
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., will discuss how these tools can be leveraged to develop a lasting competitive advanta...