GitHub - plaix/docker-bro: Bro IDS Dockerfile added basic ELK integration · GitHub
Skip to content

plaix/docker-bro

 
 

Folders and files

Repository files navigation

bro-logo Bro IDS Dockerfile

This repository contains a Dockerfile of Bro-IDS for Docker's trusted build published to the public Docker Registry.

Dependencies

Image Size

Latest

Image Tags

$ docker images

REPOSITORY          TAG                 VIRTUAL SIZE
blacktop/bro        latest              488.4 MB
blacktop/bro        2.4.1               488.4 MB
blacktop/bro        2.4                 488.4 MB
blacktop/bro        2.3.2               531 MB
blacktop/bro        2.2                 527.9 MB

Installation

  1. Install Docker.

  2. Download trusted build from public Docker Registry: docker pull blacktop/bro

Alternatively, build an image from Dockerfile

$ docker build -t blacktop/bro github.com/blacktop/docker-bro

Usage

$ docker run -i -t -v /path/to/folder/pcap:/pcap:rw blacktop/bro -r heartbleed.pcap local

Output:

$ ls -l

-rw-r--r-- 1 root root   617 Jul 27 02:00 conn.log
-rw-r--r-- 1 root root   734 Jul 27 02:00 files.log
-rw-r--r-- 1 root root 15551 Jul 27 02:00 loaded_scripts.log
-rw-r--r-- 1 root root  1938 Jul 27 02:00 'notice.log'
-rw-r--r-- 1 root root   253 Jul 27 02:00 packet_filter.log
-rw-r--r-- 1 root root   781 Jul 27 02:00 ssl.log
-rw-r--r-- 1 root root   901 Jul 27 02:00 x509.log
$ cat notice.log | awk '{ print $11 }' | tail -n4

Heartbleed::SSL_Heartbeat_Attack
Heartbleed::SSL_Heartbeat_Odd_Length
Heartbleed::SSL_Heartbeat_Attack_Success

Or use your own pcap

$ docker run -it -v /path/to/pcap:/pcap:rw blacktop/bro -r my.pcap local

To Run on OSX

$ brew install caskroom/cask/brew-cask
$ brew cask install virtualbox
$ brew install docker
$ brew install docker-machine
$ docker-machine create --driver virtualbox dev
$ eval $(docker-machine env dev)

Add the following to your bash or zsh profile

alias bro='docker run -it --rm -v `pwd`:/pcap:rw blacktop/bro $@'

Usage

Capturing packets from an interface and writing them to a file can be done like this:

$ sudo tcpdump -i en0 -s 0 -w mypackets.trace
$ bro -r mypackets.trace local

To get rid of the WARNING: No Site::local_nets have been defined. message.

bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"

Todo

  • Install/Run Bro-IDS
  • Fix Geolocation feature
  • Refine my extract-all.bro script
  • Start Daemon and watch folder with supervisord
  • Have container take a URL as input and download/scan pcap
  • Add ELK Stack

About

Bro IDS Dockerfile added basic ELK integration

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

Contributors

Languages

  • Zeek 58.8%
  • Shell 41.2%