Skip to content

Commit

Permalink
Wiki article and example YAML/scripts for custom Zeek/Suricata/NetFlow (
Browse files Browse the repository at this point in the history
  • Loading branch information
philrz authored Jun 9, 2021
1 parent 97df0e9 commit b071368
Show file tree
Hide file tree
Showing 12 changed files with 661 additions and 4 deletions.
9 changes: 5 additions & 4 deletions cli/analyzecli/suricata.zed
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
type port=uint16;
type alert = {
timestamp: time,
event_type: bstring,
src_ip: ip,
src_port: port=(uint16),
src_port: port,
dest_ip: ip,
dest_port: port=(uint16),
dest_port: port,
vlan: [uint16],
proto: bstring,
app_proto: bstring,
Expand Down Expand Up @@ -36,9 +37,9 @@ type alert = {
icmp_type: uint64,
tunnel: {
src_ip: ip,
src_port: port=(uint16),
src_port: port,
dest_ip: ip,
dest_port: port=(uint16),
dest_port: port,
proto: bstring,
depth: uint64
},
Expand Down
526 changes: 526 additions & 0 deletions docs/Custom-Brimcap-Config.md

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions docs/Home.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,7 @@ your effective use of Brimcap.
## Support Resources

- [[Troubleshooting]]

## User Documentation

- [[Custom Brimcap Config]]
4 changes: 4 additions & 0 deletions docs/_Sidebar.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
**Support Resources**

- [[Troubleshooting]]

**User Documentation**

- [[Custom Brimcap Config]]
Binary file added docs/media/Brim-Pref-YAML-Config-File.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/media/Custom-Zeek-Suricata-Pool.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/media/NetFlow-Pool.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
10 changes: 10 additions & 0 deletions examples/nfdump-wrapper.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash
export LD_LIBRARY_PATH="/usr/local/lib"
TMPFILE=$(mktemp)
cat - > "$TMPFILE"
/usr/local/bin/nfpcapd -r "$TMPFILE" -l .
rm "$TMPFILE"
for file in nfcapd.*
do
/usr/local/bin/nfdump -r $file -o csv | head -n -3 | /opt/Brim/resources/app.asar.unpacked/zdeps/zq -i csv - > ${file}.zng
done
55 changes: 55 additions & 0 deletions examples/nfdump.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
analyzers:
- cmd: /usr/local/bin/nfdump-wrapper.sh
globs: ["*.zng"]
shaper: |
type netflow = {
ts: time,
te: time,
td: duration,
sa: ip,
da: ip,
sp: uint16,
dp: uint16,
pr: string,
flg: string,
fwd: bytes,
stos: bytes,
ipkt: uint64,
ibyt: uint64,
opkt: uint64,
obyt: uint64,
\in: uint64,
out: uint64,
sas: uint64,
das: uint64,
smk: uint8,
dmk: uint8,
dtos: bytes,
dir: uint8,
nh: ip,
nhb: ip,
svln: uint16,
dvln: uint16,
ismc: string,
odmc: string,
idmc: string,
osmc: string,
mpls1: string,
mpls2: string,
mpls3: string,
mpls4: string,
mpls5: string,
mpls6: string,
mpls7: string,
mpls8: string,
mpls9: string,
mpls10: string,
cl: float64,
sl: float64,
al: float64,
ra: ip,
eng: string,
exid: bytes,
tr: time
}
put this := shape(netflow)
2 changes: 2 additions & 0 deletions examples/suricata-wrapper.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/bash -e
exec /usr/bin/suricata -r /dev/stdin
53 changes: 53 additions & 0 deletions examples/zeek-suricata.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
analyzers:
- cmd: /usr/local/bin/zeek-wrapper.sh
- cmd: /usr/local/bin/suricata-wrapper.sh
globs: ["eve.json"]
shaper: |
type port=uint16;
type alert = {
timestamp: time,
event_type: bstring,
src_ip: ip,
src_port: port,
dest_ip: ip,
dest_port: port,
vlan: [uint16],
proto: bstring,
app_proto: bstring,
alert: {
severity: uint16,
signature: bstring,
category: bstring,
action: bstring,
signature_id: uint64,
gid: uint64,
rev: uint64,
metadata: {
signature_severity: [bstring],
former_category: [bstring],
attack_target: [bstring],
deployment: [bstring],
affected_product: [bstring],
created_at: [bstring],
performance_impact: [bstring],
updated_at: [bstring],
malware_family: [bstring],
tag: [bstring]
}
},
flow_id: uint64,
pcap_cnt: uint64,
tx_id: uint64,
icmp_code: uint64,
icmp_type: uint64,
tunnel: {
src_ip: ip,
src_port: port,
dest_ip: ip,
dest_port: port,
proto: bstring,
depth: uint64
},
community_id: bstring
}
filter event_type=="alert" | put this := shape(alert) | rename ts := timestamp
2 changes: 2 additions & 0 deletions examples/zeek-wrapper.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/bash
exec /opt/zeek/bin/zeek -C -r - --exec "event zeek_init() { Log::disable_stream(PacketFilter::LOG); Log::disable_stream(LoadedScripts::LOG); }" local

0 comments on commit b071368

Please sign in to comment.