Wednesday, February 1, 2012

BRO IDS Log Parsers gems

Recently I have been playing with Security Onion ( for some network monitoring stuff at home. If you haven't seen Security Onion before its kinda like Backtrack for the Blue Team. Its preloaded with tons of tools for doing network forensics and monitoring. If you have any interest in this kind of stuff I recommend checking it out!

One of the tools preloaded on Security Onion is the new 2.0 release of BRO IDS. After getting BRO setup I was looking for a way to take the awesome log files it creates and make them a little more useful for me. At the same time I wanted to work on my ruby-fu, so I decided to create some ruby gems to parse the BRO logs.

As of today I have the first two done. With the gems you can easily parse the DNS and HTTP logs to pull out just the info you want. After the Jump I will include 2 sample scripts I use to pull some of the info I want.

The Gems:
For more info on Security Onion Visit:
For more info on BRO IDS:
Irongeek did a great video on SO:

HTTP Log Reader Example:

require 'bro_ids/http/log'

http_log ="/nsm/bro/logs/current/http.log")
BroIds::Http::Log.parse(http_log) do |parsed|
  puts "At " + parsed[:timestamp] + " host " + parsed[:id_orig_h] + " issued a " + parsed[:method]  + " request to " + parsed[:host]

DNS Log Reader Example:
require 'bro_ids/dns/log'

dns_log ="/nsm/bro/log/current/dns.log")
BroIds::Dns::Log.parse(dns_log) do |parsed|
  puts "At " + parsed[:timestamp] + " IP " +   parsed[:id_orig_h].to_s + " Requested " + parsed[:query] + " From " + parsed[:id_resp_h].to_s 

No comments:

Post a Comment