One of the tools preloaded on Security Onion is the new 2.0 release of BRO IDS. After getting BRO setup I was looking for a way to take the awesome log files it creates and make them a little more useful for me. At the same time I wanted to work on my ruby-fu, so I decided to create some ruby gems to parse the BRO logs.
As of today I have the first two done. With the gems you can easily parse the DNS and HTTP logs to pull out just the info you want. After the Jump I will include 2 sample scripts I use to pull some of the info I want.
The Gems: https://github.com/nullthreat
For more info on Security Onion Visit: http://securityonion.blogspot.com/
For more info on BRO IDS: http://www.bro-ids.org/
Irongeek did a great video on SO: http://www.irongeek.com/i.php?page=videos/basic-setup-of-security-onion-snort-snorby-barnyard-pulledpork-daemonlogger
HTTP Log Reader Example:
require 'bro_ids/http/log' http_log = File.open("/nsm/bro/logs/current/http.log") BroIds::Http::Log.parse(http_log) do |parsed| puts "At " + parsed[:timestamp] + " host " + parsed[:id_orig_h] + " issued a " + parsed[:method] + " request to " + parsed[:host] end
DNS Log Reader Example:
require 'bro_ids/dns/log' dns_log = File.open("/nsm/bro/log/current/dns.log") BroIds::Dns::Log.parse(dns_log) do |parsed| puts "At " + parsed[:timestamp] + " IP " + parsed[:id_orig_h].to_s + " Requested " + parsed[:query] + " From " + parsed[:id_resp_h].to_s end