grigorescu

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
 
int main(void)
{

grigorescu

cluster.name: logs
# Puppet-ism to put in the hostname and IP
node.name: <%= @hostname %>
network.host: <%= @ipaddress %>

# Turn off multicast autodiscovery
discovery.zen.ping.unicast.hosts: 172.1.1.100:9300, 172.1.1.101:9300

index.number_of_shards: 4
index.routing.allocation.total_shards_per_node: 1

grigorescu

#!/bin/sh

#########################
## 
## Setup
##
#########################

# Set some vars

grigorescu

awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'

grigorescu

First we are going to do an extremely simple case of loading some data and matching it. First we will create an intelligence file in Bro’s intelligence format. Create a file named “intel1.dat” with the following content. Keep in mind that all field separation is with literal tabs! Double check that you don’t have spaces as separators.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source

The next step will obviously be to load this data into Bro which is done as a configuration option. Put the following script into the same directory as your “intel1.dat” file and call it “intel-1.bro”.

grigorescu

It’s very possible that hits on intelligence could be something that you want turned into a notice even though the basic intel framework does not provide that functionality. This is an example of data driven notice creation with the do_notice.bro script that is included with Bro.

We need to create a new intelligence file. Create intel-2.dat.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source<TAB>meta.do_notice
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source<TAB>T

The only difference from the previous intelligence file is the do_notice column.

grigorescu

Perhaps you decided though that seeing hits on your intelligence in certain locations is not actually what you wanted. The same do_notice script has the ability to limit your notices by the location that the intelligence was seen. Create a new intel-3.dat file that shows you are only interested in matching the intelligence if it was seen in the host header.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source<TAB>meta.do_notice<TAB>meta.if_in
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source<TAB>T<TAB>HTTP::IN_HOST_HEADER

The only change that needs to happen in the script is to load the new intelligence file, but we will include the new script here. Name it intel-3.bro.

grigorescu

##! Add ASNs for the originator and responder of a connection
##! to the connection logs.

module Conn;

export {
	redef record Conn::Info += {
		## ASN for the originator of the connection based 
		## on a GeoIP lookup.
		orig_asn: string &optional &log;

grigorescu

redef enum Notice::Type += {
	Potential_Beaconing_Detected
};
 
event bro_init()
	{
	local r1 = SumStats::Reducer($stream="end_of_conn", $apply=set(SumStats::VARIANCE, SumStats::SUM));
	SumStats::create([$name="variance_of_orig_bytes",
	                  $epoch=5min,
	                  $reducers=set(r1),

grigorescu

{
  "bro_logs": {
    "template": "bro-*",
    "settings": {
      "number_of_shards": 4,
      "number_of_replicas": 0,
      "index.cache.field.type": "soft",
      "index.refresh_interval": "30s",
      "index.analysis": {
        "analyzer": {