2015-06-22 10:57:35 +02:00
|
|
|
The Bro Network Security Monitor
|
|
|
|
|
================================
|
|
|
|
|
|
2015-06-23 03:00:07 +02:00
|
|
|
[](https://imagelayers.io/?images=vimagick/bro:latest 'Get your own badge on imagelayers.io')
|
|
|
|
|
|
2015-06-22 10:56:54 +02:00
|
|
|
`Bro` is a powerful network analysis framework that is much different from the
|
|
|
|
|
typical IDS you may know.
|
|
|
|
|
|
|
|
|
|
- Adaptable
|
|
|
|
|
- Efficient
|
|
|
|
|
- Flexible
|
|
|
|
|
- Forensics
|
|
|
|
|
- Commercially Supported
|
|
|
|
|
- In-depth Analysis
|
|
|
|
|
- Highly Stateful
|
|
|
|
|
- Open Interfaces
|
|
|
|
|
- Open Source
|
2015-06-22 09:35:21 +02:00
|
|
|
|
|
|
|
|
## docker-compose.yml
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
bro:
|
|
|
|
|
image: vimagick/bro
|
2015-07-01 11:53:47 +02:00
|
|
|
command: bro -C -i eth0
|
2015-06-22 09:35:21 +02:00
|
|
|
volumes:
|
|
|
|
|
- ./logs:/opt/bro/logs
|
2015-06-22 10:48:30 +02:00
|
|
|
net: container:shadowsocks_shadowsocks_1
|
2015-06-22 09:35:21 +02:00
|
|
|
```
|
|
|
|
|
|
2015-06-22 10:48:30 +02:00
|
|
|
> We are going to monitor `shadowsocks` which is a socks5 server.
|
|
|
|
|
|
2015-06-22 09:35:21 +02:00
|
|
|
## up and running
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ cd ~/fig/bro/
|
|
|
|
|
|
|
|
|
|
$ docker-compose up -d
|
|
|
|
|
|
|
|
|
|
$ docker exec -it bro_bro_1 bash
|
2015-06-22 10:48:30 +02:00
|
|
|
>>> cat dns.log | bro-cut query | sort | uniq -c | sort -nr | head -5
|
|
|
|
|
10 www.youtube.com
|
|
|
|
|
3 twitter.com
|
|
|
|
|
2 www.google.com
|
|
|
|
|
1 www.baidu.com
|
|
|
|
|
1 www.facebook.com
|
2015-06-22 09:35:21 +02:00
|
|
|
>>> exit
|
|
|
|
|
```
|
2015-06-22 10:48:30 +02:00
|
|
|
|
|
|
|
|
> Don't be evil!
|
