Friday, September 16, 2016

Bro and Elasticsearch Integration

First, fix dots in ES 2.4:

 Fix dots in field names

 Next install Bro ElasticSearch plugin:

 Bro ElasticSearch Plugin

 with a couple caveats of  you'll need to cd to bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && make install, and the default plugin dir to install in is bro-install-dir/lib/bro/plugins/.


The below script to use for mappings will set all strings to not analyzed, and ip source and destinations to field type of IP:
curl -XPUT "http://localhost:9200/_template/bro_template" -d'
{
  "template": "bro-*",
    "order": 1,
    "mappings": {
      "_default_": {
      "dynamic_templates": [
        {
          "strings": { 
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed"
                }
              }
            }
          ]
        },
        "bro_ts": {
          "properties": {
            "ts": {
              "type": "date",
              "format": "epoch_millis"
            }
          }
        },  
        "bro_orig_h": {
            "properties": {
            "id.orig_h": {
              "type": "ip"
            }
          }
        },
        "bro_resp_h": {
            "properties": {
              "id.resp_h": {
                "type": "ip"
              }
            }
        },
        "bro_assigned_ip": {
            "properties": {
              "assigned_ip": {
                "type": "ip"
              }
            }
        }
    }
}'
Posted by at No comments:

Thursday, September 8, 2016

Maltrail Setup and Systemd Integration

Having run this app for a while now I figured this was long overdue...tested on Ubuntu 14-16:
git clone https://github.com/stamparm/maltrail.git

 sudo mv maltrail /opt/

 add to /etc/passwd:
maltrail:x:10000:10000::/opt/maltrail:/bin/false

 add to /etc/group:
maltrail:x:10000:maltrail

 edit your /opt/maltrail/maltrail.conf (interface, creds, etc...)

 sudo chown -R maltrail:maltrail /opt/maltrail

 create the two files below:

 /lib/systemd/system/maltrail-server.service:

[Unit]
Description=Maltrail server

 [Service]
User=maltrail
Group=maltrail
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/nohup /usr/bin/python /opt/maltrail/server.py & disowm
[Install]
WantedBy=multi-user.target


 /lib/systemd/system/maltrail-sensor.service:

[Unit]
Description=Maltrail sensor

 [Service]
WorkingDirectory=/opt/maltrail
ExecStart=/usr/bin/python /opt/maltrail/sensor.py
[Install]
WantedBy=multi-user.target


 then run:
sudo systemctl enable maltrail-server
sudo systemctl enable maltrail-sensor
lastly run:
sudo systemctl start maltrail-server
sudo systemctl start maltrail-sensor
updating:
sudo systemctl stop maltrail-server
sudo systemctl stop maltrail-sensor
cd /opt/maltrail
sudo cp maltrail.conf maltrail.conf.mine
sudo rm maltrail.conf
sudo git pull

 copy local changes from maltrail.conf.mine to the new maltrail.conf

 sudo chown -R maltrail:maltrail /opt/maltrail
sudo systemctl start maltrail-server

sudo systemctl start maltrail-sensor
Posted by at 3 comments:
Subscribe to: Posts (Atom)