Bro Plugin Problem.md

1. Deploy Full Dev.

2. Turn off Monit.

   service monit stop
   chkconfig monit off
   service sensor-stubs stop
   

3. Stop all services in Ambari except Zookeeper and Kafka.

4. Deploy Bro, the Bro Plugin for Kafka, and Pcap Replay. The last step will fail because we have turned off Kibana already.

   cd incubator-metron/metron-deployment/vagrant/full-dev-platform
   vagrant --ansible-skip-tags="sensor-stubs,solr,build,ambari,snort,yaf" provision
   

5. Login to the VM.

   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin/:/usr/hdp/current/kafka-broker/bin/
   

6. Create a new Kafka topic for the Bro data. In this example, the topic is named bro-v3.

   kafka-topics.sh --zookeeper node1:2181 --create --topic bro-v3 --partitions 1 --replication-factor 1
   

7. Ensure that you can count the number of messages in the topic. There should be 0 right now.

   [root@node1 ~]# kafka-run-class.sh kafka.tools.GetOffsetShell --broker-list node1:6667 --topic bro-v3 --time -1
   {metadata.broker.list=node1:6667, request.timeout.ms=1000, client.id=GetOffsetShell, security.protocol=PLAINTEXT}
   bro-v3:0:0
   

8. Configure and start Bro.

   sed -i.bkup 's/eth1/tap0/' /usr/local/bro/etc/node.cfg
   sed -i.bkup 's/topic_name = \"bro\"/topic_name ="bro-v3"/' /usr/local/bro/share/bro/site/local.bro
   broctl deploy
   

9. Start Pcap Replay at roughly 10 mbps, which Bro on this tiny VM should be able to handle.

   sed -i.bkup 's/IFACE=\"eth1\"/IFACE=\"tap0\"/' /etc/init.d/pcap-replay
   service pcap-replay start --mbps 10
   

10. Let Bro capture that network traffic and produce records for roughly 5 to 10 minutes. You should see logs growing in /usr/local/bro/logs/current.

    ls -ltr /usr/local/bro/logs/current/
    

11. After 5 to 10 minutes, make sure Bro is not dropping any packets, then stop the Pcap Replay service.

    [root@node1 ~]# broctl netstats
        bro: 1493845848.943345 recvd=746575 dropped=0 link=746577
    

    service pcap-replay stop
    

12. Count the number of HTTP and DNS records produced by Bro.

    wc -l /usr/local/bro/logs/current/dns.log /usr/local/bro/logs/current/http.log
    

13. Count the number of records landed in Kafka.

    kafka-run-class.sh kafka.tools.GetOffsetShell --broker-list node1:6667 --topic bro-v3 --time -1
    

14. Those two counts should be fairly close. The number of records produced by Bro should be roughly the same as the number of messages sent to Kafka as there is one record per Kafka message.

    After roughly 10 minutes, I see the following.

    [root@node1 ~]# broctl netstats
            bro: 1493846607.362022 recvd=2243953 dropped=99 link=2244054
    
    [root@node1 ~]# service pcap-replay stop
    Stopping pcap-replay                              ..Ok
    
    [root@node1 ~]# wc -l /usr/local/bro/logs/current/dns.log /usr/local/bro/logs/current/http.log
       35280 /usr/local/bro/logs/current/dns.log
      102928 /usr/local/bro/logs/current/http.log
      138208 total
    
    [root@node1 ~]# kafka-run-class.sh kafka.tools.GetOffsetShell --broker-list node1:6667 --topic bro-v3 --time -1
    {metadata.broker.list=node1:6667, request.timeout.ms=1000, client.id=GetOffsetShell, security.protocol=PLAINTEXT}
    bro-v3:0:138192
    

    After roughly 20 minutes I see...

    [root@node1 ~]# service pcap-replay stop
    Stopping pcap-replay                              ..Ok
    
    [root@node1 ~]# wc -l /usr/local/bro/logs/current/dns.log /usr/local/bro/logs/current/http.log
    80379 /usr/local/bro/logs/current/dns.log
    223664 /usr/local/bro/logs/current/http.log
    304043 total
    
    [root@node1 ~]# kafka-run-class.sh kafka.tools.GetOffsetShell --broker-list node1:6667 --topic bro-v4 --time -1
    {metadata.broker.list=node1:6667, request.timeout.ms=1000, client.id=GetOffsetShell, security.protocol=PLAINTEXT}
    bro-v4:0:304032
    

15. Install PF_RING? Bro 2.5? Load balancer? and try to replicate?