Bro + ELK

"The Bro Network Security Monitor & ELK Stack"
TL;DR - No Security without Visibility | 部署Bro进行网络安全监控、分析,入侵检测,使用ELK Stack分析Bro收集的日志。

关于Bro(The Bro Network Security Monitor)

Bro is an open-source network security platform that illuminates your network's activity in detail, with the stability and flexibility for production deployment at scale.

1.(Bro)安装&基本配置

1.)网络环境及软件环境

网络环境:网络边界上部署Network Tap或使用交换机端口镜像功能(Port Mirroring)将In和Out双向流量copy到Bro Cluster --> https://www.bro.org/sphinx/cluster/index.html。
软件环境:OS:Ubuntu 14.04 LTS,Bro:2.4.x,ELK:Elasticsearch-1.7.x | Logstash-1.5.x | kibana-4.1.1

2.)添加签名Key

wget http://download.opensuse.org/repositories/network:bro/xUbuntu_14.04/Release.key
apt-key add - < Release.key

3.)添加Repository

echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.04/ /' >> /etc/apt/sources.list.d/bro.list

4.)安装

apt-get update
apt-get install bro
echo "export PATH=/opt/bro/bin:$PATH" >> ~/.bashrc

5.)定制Bro配置文件,然后初始化

配置监听网络接口:/opt/bro/etc/node.cfg
配置本地网络地址:/opt/bro/etc/networks.cfg
主配置文件:/opt/bro/etc/broctl.cfg
初始化:broctl deploy

6.)添加计划任务(监控Bro集群节点状态和日志轮询)

0-59/5 * * * * /opt/bro/bin/broctl cron

7.)修改默认监听端口

/opt/bro/etc/broctl.cfg
BroPort =  10000 

8.)加载定制脚本

下载:wget https://github.com/jonschipp/bro-scripts/blob/master/dns-audit.bro

编辑配置文件:vi /opt/bro/share/bro/site/local.bro

@load dns-audit.bro   
cp dns-audit.bro /opt/bro/share/bro/site/   

执行:broctl deploy

9.)电子邮件报警(ssmtp + TX exmail)

Bro主配置文件

vi /opt/bro/etc/broctl.cfg
MailTo = [email protected]
SendMail = /usr/sbin/sendmail 
MailFrom = [email protected]

ssmtp配置

vi /etc/ssmtp/ssmtp.conf
[email protected]
mailhub=smtp.exmail.qq.com:465
hostname=bro-nsm
UseTLS=Yes
[email protected]
AuthPass=[电子邮件密码]
FromLineOverride=yes

ssmtp别名

vi /etc/ssmtp/revaliases 
root:[email protected]:smtp.exmail.qq.com:465
mainuser:[email protected]:smtp.exmail.qq.com:465

2.(ELK)安装&基本配置

1.)安装JAVA

add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get -y install oracle-java8-installer

2.)安装Elasticsearch

#添加Key:
wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | apt-key add -
#添加Repository:
echo "deb https://packages.elastic.co/elasticsearch/1.7/debian stable main" |  tee -a /etc/apt/sources.list.d/elasticsearch-1.7.list
#安装:
apt-get update &&  apt-get -y install elasticsearch
#配置:
vi /etc/elasticsearch/elasticsearch.yml
network.host: localhost
#启动服务:
service elasticsearch restart
#设置默认启动:
update-rc.d elasticsearch defaults 95 10
#测试:
curl -X GET http://localhost:9200/
#参考:
https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html

3.)安装Logstash

#添加Repository:
echo 'deb https://packages.elasticsearch.org/logstash/1.5/debian stable main' |  tee /etc/apt/sources.list.d/logstash.list
#安装:
apt-get update &&  apt-get -y install Logstash
# Change logstash gem sources
/opt/logstash/vendor/bundle/jruby/1.9/gems/gems-0.8.3/lib/gems/configuration.rb
/opt/logstash/vendor/jruby/lib/ruby/shared/rubygems/defaults.rb
/opt/logstash/Gemfile
Replace rubygems.org ==> ruby.taobao.org

4.)安装Kibana

#创建并进入临时目录
mkdir ~/tmp ; cd ~/tmp
#下载kibana并check sha1sum
wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz
wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz.sha1.txt
#解压&配置
tar xf kibana-*.tar.gz
vi ~/tmp/kibana-4*/config/kibana.yml
host: "localhost"
mkdir -p /opt/kibana
cp -R ~/tmp/kibana-4*/* /opt/kibana/
#启动配置脚本
cd /etc/init.d &&  wget https://gist.githubusercontent.com/thisismitch/8b15ac909aed214ad04a/raw/bce61d85643c2dcdfbc2728c55a41dab444dca20/kibana4
chmod +x /etc/init.d/kibana4
update-rc.d kibana4 defaults 96 9
service kibana4 start

5.)配置Kibana HTTP认证

#安装Nginx和apache2-utils
apt-get install nginx apache2-utils
#设置用户名(Zer0d0y)和密码
htpasswd -c /etc/nginx/htpasswd.users Zer0d0y
#修改Nginx配置文件
vi /etc/nginx/conf.d/kibana.conf
server {
    listen 80;

    server_name nsm.Zer0d0y.info;

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.users;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;        
    }
}
#重启Nginx服务是配置生效
service nginx restart

3.配置Logstash处理Bro日志文件

#下载Logstash配置文件
cd /etc/logstash/conf.d/
wget https://github.com/Zer0d0y/Bro-ELK/tree/master/logstash
#修改Bro 日志文件权限:
chmod o+rx /opt/bro/logs
chmod o+rx /opt/bro/spool
#测试:
sudo -u logstash /opt/logstash/bin/logstash agent -f /etc/logstash/conf.d --configtest
curl "http://localhost:9200/_search?size=5&pretty=true"
curl "http://localhost:9200/_search?q=type:logs&pretty=true"
#重启Logstash:
sudo /etc/init.d/logstash restart

效果图(右键放大图片)

4.配置文件下载地址:

https://github.com/Zer0d0y/Bro-ELK

5.ToDO & Ref

1.)ToDO

高级主题
Bro Scripts(https://www.bro.org/sphinx/scripting/index.html)
Bro Intel Framework(https://intel.criticalstack.com/)

2.)Ref(参考)

https://www.bro.org/why_choose_bro.pdf
https://bro-tracker.atlassian.net/secure/Dashboard.jspa
https://www.bro.org/documentation/index.html
https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
comments powered by Disqus

作者:Zer0d0y
微信关注:Zer0d0y
本文出处:https://www.zer0d0y.info/post/Bro-plus-ELK/
本站评论使用Disqus,如果长时间无法加载,请切换至“自由”互联网。
文章版权归本人所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。