Bro Intrusion 2.3-911 detection system based on ubuntu + complete development environment.
Supports the new broker (unconfigured for now) and logging to elasticsearch.
I had to make a change to the elasticsearch plugin to give the correct iso8601 timestamp.
Kibana can work with the timestamps now.
Development status, working but not completely docker ready
configuration is manual.
docker run -ti --name bro-dev danielguerra/bro-dev:v1.0 /bin/bash
docker attach bro-dev
Setup for elasticsearch
const enable_local_logging = F
to avoid local logging
Name of the ES cluster.
const cluster_name = “<clustername>" &redef; ## ES server. const server_host = “<yourip>" &redef;
to get clustername and ip check with your browser http://<elasticip>:9200/_nodes
to run bro
/usr/local/bro/bin/bro -i eth0