Hi,
I’m trying to figure out what happened to the Brownian project (front-end for Bro) and whether or not there are other projects attempting to create a front-end for Bro IDS using ElasticSearch.
Thank you,
E
Hi,
I’m trying to figure out what happened to the Brownian project (front-end for Bro) and whether or not there are other projects attempting to create a front-end for Bro IDS using ElasticSearch.
Thank you,
E
Take a look at Kibana.
If you’re looking for something pre-built, Graylog2 is nice.
If you want to use the standard Elastic stack, the key is to send your logs from Bro in JSON format, use the json_lines codec and the de_dot filter in Logstash, and at that point Kibana “Just Works”. With Bro 2.5 I believe you can change the field delimiter to avoid the de_dot problem (Elasticsearch 2.x doesn’t allow dots in field names, although Elasticsearch 5.x will).
Jay
Dots are allowed in ES 2.4, see https://www.elastic.co/blog/elasticsearch-2-4-0-released#_dots_in_fields_names_the_return
Jon
The Brownian location hasn't changed; it's available here: https://github.com/grigorescu/Brownian
In terms of what happened to it, there are two main issues:
1) ElasticSearch breaking compatibility in 2.X (though, thanks Jon for
pointing out that this is fixed in the latest release),
2) broLogTypes.py needing to be updated for new log files. To me, this
is the main advantage that Brownian has over other tools (which are much
more powerful in terms of graphs and dashboards), in that Brownian
"knows" that dns$query, even though it's technically a string, is often
a domain name that you might want to do a lookup on. Or that ftp$user is
a username that you might want to query in LDAP.
From a personal perspective, Brownian started out of necessity, and I've
switched jobs a couple of times in the meantime. At NCSA, we don't have
an ElasticSearch cluster, so Brownian development hasn't been a
priority, especially since I don't even know what the problems are these
days.
I still have a long todo list for Brownian, but to be honest, I'm not
sure how many people are still using it today, and how many would
benefit from improvements to it. I still look at pull requests and
issues that come through (though I'm afraid that I'm often slow to
respond to them).
My hope is that one day Brownian is redone as a front-end to VAST, and
is more tightly coupled with Bro, but this is a space that's always
rapidly evolving and hard to predict.
A long answer to your question, but it's been a while since I've given a
status update on Brownian, and I think others may have been wondering
the same thing.
--Vlad
Espresso Beanies <espressobeanies@gmail.com> writes: