Bro IDS Dockerfile


This repository contains a Dockerfile of Bro-IDS blacktop/bro.

Table of Contents

• Bro IDS Dockerfile
  • Dependencies
  • Image Tags
  • Installation
  • Getting Started
    • Using the included heartbleed test pcap
  • Documentation
    • Usage
      • Capture Live Traffic
      • Use your own pcap
    • Tips and Tricks
      • Create a pcap
      • Get rid of the WARNING: No Site::local_nets have been defined. message.
      • Use blacktop/bro like a host binary
  • Issues
  • Todo
  • CHANGELOG
  • Contributing
  • License

Dependencies

• debian:wheezy (84.93 MB)

Image Tags

$ docker images

REPOSITORY          TAG                 SIZE
blacktop/bro        latest              157.3 MB
blacktop/bro        2.5-beta            202.2 MB
blacktop/bro        2.4                 157.3 MB
blacktop/bro        elastic             640 MB
blacktop/bro        2.4.1               482.8 MB
blacktop/bro        2.3.2               530.9 MB
blacktop/bro        2.2                 527.7 MB

Installation

1. Install Docker.
2. Download trusted build from public Docker Registry: docker pull blacktop/bro

Getting Started

Using the included heartbleed test pcap

$ docker run --rm -v `pwd`/pcap:/pcap blacktop/bro -r heartbleed.pcap local "Site::local_nets += { 192.168.11.0/24 }"

$ ls -l

-rw-r--r--  1 blactop  staff   635B Jul 30 12:11 pcap/conn.log
-rw-r--r--  1 blactop  staff   754B Jul 30 12:11 pcap/files.log
-rw-r--r--  1 blactop  staff   384B Jul 30 12:11 pcap/known_certs.log
-rw-r--r--  1 blactop  staff   239B Jul 30 12:11 pcap/known_hosts.log
-rw-r--r--  1 blactop  staff   271B Jul 30 12:11 pcap/known_services.log
-rw-r--r--  1 blactop  staff    17K Jul 30 12:11 pcap/loaded_scripts.log
-rw-r--r--  1 blactop  staff   1.9K Jul 30 12:11 'pcap/notice.log'
-rw-r--r--  1 blactop  staff   253B Jul 30 12:11 pcap/packet_filter.log
-rw-r--r--  1 blactop  staff   1.2K Jul 30 12:11 pcap/ssl.log
-rw-r--r--  1 blactop  staff   901B Jul 30 12:11 pcap/x509.log

$ cat pcap/notice.log | awk '{ print $11 }' | tail -n4

Heartbleed::SSL_Heartbeat_Attack
Heartbleed::SSL_Heartbeat_Odd_Length
Heartbleed::SSL_Heartbeat_Attack_Success

Documentation

Usage

Capture Live Traffic

docker run --rm --cap-add=NET_RAW --net=host -v `pwd`:/pcap:rw blacktop/bro -i eth0

Use your own pcap

$ docker run --rm -v /path/to/pcap:/pcap:rw blacktop/bro -r my.pcap local

Tips and Tricks

Create a pcap

Capturing packets from an interface and writing them to a file can be done like this:

$ sudo tcpdump -i en0 -s 0 -w my_capture.pcap

To capture packets from a VMWare Fusion VM using vmnet-sniffer you can do this:

sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-sniffer -e -w my_capture.pcap vmnet8

Get rid of the WARNING: No Site::local_nets have been defined. message.

bro -r my_capture.pcap local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"

Use blacktop/bro like a host binary

Add the following to your bash or zsh profile

alias bro='docker run --rm -v `pwd`:/pcap:rw blacktop/bro $@'

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

NOTE: I am now using the precompiled bro package to decrease the docker image size, if that caused a loss in functionality you depend on please let me know.

Todo

• Install/Run Bro-IDS
• Fix Geolocation feature
• Refine my extract-all.bro script
• Start Daemon and watch folder with supervisord
• Have container take a URL as input and download/scan pcap
• Add ELK Stack

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md and submit a Pull Request on GitHub.

License

MIT Copyright (c) 2015-2016 blacktop