Post Processing PCAPs with BRO
oxygen87
I have recently been shown BRO from a colleague and I think its the answer to my needs. I am wanting to use it to post-process PCAP files, analyse protocols and trends derived from it.
I then stumbled across Security Onion that already has the tools I am after.
This may sound noobish and happy to get advice on where to go to learn but I want to achieve these things:
1. Use to BRO to process a .pcap file
2. Utilise graphs to anaylse the information (presumably Kibana/Elasticsearch)
Any help is much appreciated, I am not a big linux user but happy to learn what I need to do this!
Cheers guys!
Doug Burks
If you don't care about timestamps, then the easiest method is to
replay the pcap to the sniffing interface on your Security Onion box.
For example, suppose that you ran Setup and set eth0 to be your
management interface and eth1 to be your sniffing interface, and your
pcap is named test.pcap:
sudo tcpreplay -ieth1 -M10 test.pcap
Since you have Bro, Snort, and other sniffing processes listening on
eth1, they will process the packets and you'll then be able to analyze
the traffic in our 4 major interfaces: Snorby, Squert, Sguil, and
ELSA. In particular, ELSA will allow you to slice and dice your Bro
logs and create graphs.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
oxygen87
I was hoping to put together a method that would preserve timestamps - Any suggestions?
Cheers!
Doug Burks
mkdir test
cd test
bro -r test.pcap local
Bro will write out logs to the current directory. You can verify the
timestamps have been preserved in conn.log with the following:
bro-cut -d ts < conn.log
Please note that this will only give you Bro logs (none of our other
data types) and they will only be available as raw logs (not
searchable via ELSA). You could do something like this in
/nsm/bro/logs/current/ (assuming that you had stopped the running
version of Bro with "sudo broctl stop") which will get the logs into
ELSA with original timestamp preserved in the raw log, but the ELSA
timestamp will still default to the time that syslog-ng actually
collected the log entries. So you would see something like the
attached screenshot, where the Timestamp field shows today's date (Wed
Oct 15), but the actual Bro log shows the original timestamp in epoch
format (first field in bold).
At some point in the future, I'd like for us to have a tool that would
run "bro -r", "snort -r", etc. and get all the data into our normal
interfaces while preserving timestamps.
oxygen87
Just so I am clear, if I run the bro command and process the pcap.. I can that it generates the relevant log files. In order for them to show in ELSA, I just need to stop BRO then copy those logs into the /nsm/bro/logs/current folder?
Forgive me knowledge, Linux is not my strong point..
Cheers!
Doug Burks
> Thanks for the prompt reply Doug.
>
> Just so I am clear, if I run the bro command and process the pcap.. I can that it generates the relevant log files. In order for them to show in ELSA, I just need to stop BRO then copy those logs into the /nsm/bro/logs/current folder?
the "outer" timestamps being current time and needing to look at the
"inner" timestamps if you want to see the original timestamp.