BroConfiguration - ads8t/security-onion GitHub Wiki

You can add your own Intel to /opt/bro/share/bro/intel/intel.dat.
- When editing /opt/bro/share/intel/intel.dat, ensure there are no leading/trailing spaces or lines, and that only (single) tabs are used as field delimiters.
- If you experience an error, or do not notice /nsm/bro/logs/current/intel.log being generated, try having a look in /nsm/bro/logs/current/reporter.log for clues.
- You may also want to restart Bro after making changes, by running the following command:
  sudo nsm_sensor_ps-restart --only-bro.
To install and configure the Critical Stack Intel Client for use with Bro, please see:

https://github.com/Security-Onion-Solutions/security-onion/wiki/CriticalStackIntelClient

Bro * n

/opt/bro/etc/node.cfg

Custom Scripts

/opt/bro/share/bro/site/local.bro

You can add custom scripts in /opt/bro/share/bro/policy/ and then reference the scripts in /opt/bro/share/bro/site/local.bro.

Below is an example how to do so:

Create a new directory under /opt/bro/share/bro/policy/.
sudo mkdir /opt/bro/share/bro/policy/custom-scripts
Add your custom script(s) and __load__.bro to this directory.
Modify __load__.bro to reference the scripts in the custom-scripts directory:

@load ./script1.bro
@load ./script2.bro
Edit /opt/bro/share/bro/site/local.bro so that it will load the new scripts in /opt/bro/share/bro/policy/custom-scripts, by adding @load custom-scripts at the bottom of the file and saving the file.
Restart Bro.
sudo nsm_sensor_ps-restart --only-bro
Check /nsm/bro/logs/current/loaded_scripts.log to see if your custom script(s) has/have been loaded.
Check /nsm/bro/logs/current/reporter.log for clues if your custom script(s) is/are not working as desired.

-To check and see if a Bro script has fired a Notice, go to ELSA, click Notice, and then click "Top Notice Types". Alternatively, check for entries in /nsm/bro/logs/*/notice.log. +To check and see if a Bro script has fired a Notice, go to ELSA, click Notice, and then click "Top Notice Types". Alternatively, check for entries in /nsm/bro/logs/current/notice.log.

PLEASE NOTE: In a distributed deployment, all custom scripts created under /opt/bro/share/bro/policy/ on a master server will be replicated to sensors via Salt, however, they will not be enabled, as /opt/bro/share/bro/site/local.bro is not replicated. Therefore, you will either need to manually add a reference to the scripts in /opt/bro/share/bro/site/local.bro, or add additional configuration in /opt/onionsalt/salt/sensor/init.sls for Salt to replicate this information.

Make a symlink to local.bro:

sudo ln -s /opt/bro/share/bro/site/local.bro /opt/onionsalt/salt/sensor/bro/local.bro

Then add the following to /opt/onionsalt/salt/sensor/init.sls:

 localbro:   
 file.managed:
    - name: /opt/bro/share/bro/site/local.bro
    - source: salt://sensor/bro/local.bro

Then test, using:

sudo salt "SENSOR" state.highstate

You can then have Bro automatically restart upon a detected change in local.bro from the master by modifying init.sls similar to the following:

 restart-bro
 cmd.wait:
   - name: /usr/sbin/nsm_sensor_ps-restart --only-bro

BroConfiguration - ads8t/security-onion GitHub Wiki

conn.log

dns.log

ftp.log

http.log

ssl.log

notice.log

Intel

Bro * n

Custom Scripts

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️