Wiki article and example YAML/scripts for custom Zeek/Suricata/NetFlow

docs/Home.md

@@ -6,3 +6,7 @@ your effective use of Brimcap.
 ## Support Resources
 
 - [[Troubleshooting]]
+
+## User Documentation
+
+- [Custom `brimcap load` Config](Custom-brimcap-load-Config)

docs/_Sidebar.md

@@ -1,3 +1,7 @@
 **Support Resources**
 
 - [[Troubleshooting]]
+
+**User Documentation**
+
+- [Custom `brimcap load` Config](Custom-brimcap-load-Config)

examples/nfdump-wrapper.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+TMPFILE=$(mktemp)
+cat - > "$TMPFILE"
+nfpcapd -r "$TMPFILE" -l .
+rm "$TMPFILE"
+for file in nfcapd.*
+do
+  nfdump -r $file -o csv | head -n -3 | zq -i csv -f ndjson - > ${file}.ndjson
+done

examples/nfdump.yml

@@ -0,0 +1,60 @@
+analyzers:
+  - cmd: nfdump-wrapper.sh
+    # The globs being set to "*.ndjson" is a workaround for the fact that our
+    # current JSON reader won't accept much data and we can't tell
+    # brimcap load to expect CSV input, so we're postprocessing in the
+    # nfdump-wrapper.sh script with zq to turn the CSV back into NDJSON.
+    globs: ["*.ndjson"]
+    shaper: |
+      type netflow = {
+        ts: time,
+        te: time,
+        td: duration,
+        sa: ip,
+        da: ip,
+        sp: uint16,
+        dp: uint16,
+        pr: string,
+        flg: string,
+        fwd: bytes,
+        stos: bytes,
+        ipkt: uint64,
+        ibyt: uint64,
+        opkt: uint64,
+        obyt: uint64,
+        \in: uint64,
+        out: uint64,
+        sas: uint64,
+        das: uint64,
+        smk: uint8,
+        dmk: uint8,
+        dtos: bytes,
+        dir: uint8,
+        nh: ip,
+        nhb: ip,
+        svln: uint16,
+        dvln: uint16,
+        ismc: string,
+        odmc: string,
+        idmc: string,
+        osmc: string,
+        mpls1: string,
+        mpls2: string,
+        mpls3: string,
+        mpls4: string,
+        mpls5: string,
+        mpls6: string,
+        mpls7: string,
+        mpls8: string,
+        mpls9: string,
+        mpls10: string,
+        cl: float64,
+        sl: float64,
+        al: float64,
+        ra: ip,
+        eng: string,
+        exid: bytes,
+        tr: time
+      }
+      // The leading "put tr=time(tr)" is a workaround to zed/2670
+      put tr=time(tr) | put . = shape(netflow)

examples/suricata-wrapper.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+suricata -r /dev/stdin
+cat eve.json | jq -c . > deduped-eve.json

examples/zeek-suricata.yml

@@ -0,0 +1,52 @@
+analyzers:
+  - cmd: zeek-wrapper.sh
+  - cmd: suricata-wrapper.sh
+    globs: ["deduped*.json"]
+    shaper: |
+      type alert = {
+        timestamp: time,
+        event_type: bstring,
+        src_ip: ip,
+        src_port: port=(uint16),
+        dest_ip: ip,
+        dest_port: port=(uint16),
+        vlan: [uint16],
+        proto: bstring,
+        app_proto: bstring,
+        alert: {
+          severity: uint16,
+          signature: bstring,
+          category: bstring,
+          action: bstring,
+          signature_id: uint64,
+          gid: uint64,
+          rev: uint64,
+          metadata: {
+            signature_severity: [bstring],
+            former_category: [bstring],
+            attack_target: [bstring],
+            deployment: [bstring],
+            affected_product: [bstring],
+            created_at: [bstring],
+            performance_impact: [bstring],
+            updated_at: [bstring],
+            malware_family: [bstring],
+            tag: [bstring]
+          }
+        },
+        flow_id: uint64,
+        pcap_cnt: uint64,
+        tx_id: uint64,
+        icmp_code: uint64,
+        icmp_type: uint64,
+        tunnel: {
+          src_ip: ip,
+          src_port: port=(uint16),
+          dest_ip: ip,
+          dest_port: port=(uint16),
+          proto: bstring,
+          depth: uint64
+        },
+        community_id: bstring
+      }
+      filter event_type=alert | put . = shape(alert) | rename ts=timestamp

examples/zeek-wrapper.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+zeek -C -r - --exec "event zeek_init() { Log::disable_stream(PacketFilter::LOG); Log::disable_stream(LoadedScripts::LOG); }" local