Public Repository

Last pushed: 2 years ago
Short Description
bro ids with elasticsearch and broker development
Full Description

Bro Intrusion 2.3-911 detection system based on ubuntu + complete development environment.
Supports the new broker (unconfigured for now) and logging to elasticsearch.
I had to make a change to the elasticsearch plugin to give the correct iso8601 timestamp.
Kibana can work with the timestamps now.

Check http://www.bro.org

Development status, working but not completely docker ready
configuration is manual.

use

docker run -ti --name bro-dev danielguerra/bro-dev:v1.0 /bin/bash

docker attach bro-dev

Setup for elasticsearch
vi /usr/local/bro/share/bro/base/frameworks/logging/main.bro
and set
const enable_local_logging = F
to avoid local logging
vi /usr/local/bro/lib/bro/plugins/Bro_ElasticSearch/scripts/init.bro
and set

Name of the ES cluster.

    const cluster_name = “<clustername>" &redef;

    ## ES server.
    const server_host = “<yourip>" &redef;

to get clustername and ip check with your browser http://<elasticip>:9200/_nodes

to run bro
/usr/local/bro/bin/bro -i eth0

Docker Pull Command
Owner
danielguerra

Comments (0)