Public Repository

Last pushed: 3 years ago
Short Description
bro ids with elasticsearch and broker development
Full Description

Bro Intrusion 2.3-911 detection system based on ubuntu + complete development environment.
Supports the new broker (unconfigured for now) and logging to elasticsearch.
I had to make a change to the elasticsearch plugin to give the correct iso8601 timestamp.
Kibana can work with the timestamps now.


Development status, working but not completely docker ready
configuration is manual.


docker run -ti --name bro-dev danielguerra/bro-dev:v1.0 /bin/bash

docker attach bro-dev

Setup for elasticsearch
vi /usr/local/bro/share/bro/base/frameworks/logging/main.bro
and set
const enable_local_logging = F
to avoid local logging
vi /usr/local/bro/lib/bro/plugins/Bro_ElasticSearch/scripts/init.bro
and set

Name of the ES cluster.

    const cluster_name = “<clustername>" &redef;

    ## ES server.
    const server_host = “<yourip>" &redef;

to get clustername and ip check with your browser http://<elasticip>:9200/_nodes

to run bro
/usr/local/bro/bin/bro -i eth0

Docker Pull Command