Wiki article and example YAML/scripts for custom Zeek/Suricata/NetFlow (#72)

philrz · web-flow · commit b071368e22ea · 2021-06-08T17:00:03.000-07:00
diff --git a/cli/analyzecli/suricata.zed b/cli/analyzecli/suricata.zed
@@ -1,10 +1,11 @@
+type port=uint16;
 type alert = {
 	timestamp: time,
 	event_type: bstring,
 	src_ip: ip,
-	src_port: port=(uint16),
+	src_port: port,
 	dest_ip: ip,
-	dest_port: port=(uint16),
+	dest_port: port,
 	vlan: [uint16],
 	proto: bstring,
 	app_proto: bstring,
@@ -36,9 +37,9 @@ type alert = {
 	icmp_type: uint64,
 	tunnel: {
 		src_ip: ip,
-		src_port: port=(uint16),
+		src_port: port,
 		dest_ip: ip,
-		dest_port: port=(uint16),
+		dest_port: port,
 		proto: bstring,
 		depth: uint64
 	},
diff --git a/docs/Custom-Brimcap-Config.md b/docs/Custom-Brimcap-Config.md
diff --git a/docs/Home.md b/docs/Home.md
@@ -6,3 +6,7 @@ your effective use of Brimcap.
 ## Support Resources
 
 - [[Troubleshooting]]
+
+## User Documentation
+
+- [[Custom Brimcap Config]]
diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
@@ -1,3 +1,7 @@
 **Support Resources**
   
 - [[Troubleshooting]]
+
+**User Documentation**
+
+- [[Custom Brimcap Config]]
diff --git a/docs/media/Brim-Pref-YAML-Config-File.png b/docs/media/Brim-Pref-YAML-Config-File.png
diff --git a/docs/media/Custom-Zeek-Suricata-Pool.png b/docs/media/Custom-Zeek-Suricata-Pool.png
diff --git a/docs/media/NetFlow-Pool.png b/docs/media/NetFlow-Pool.png
diff --git a/examples/nfdump-wrapper.sh b/examples/nfdump-wrapper.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+export LD_LIBRARY_PATH="/usr/local/lib"
+TMPFILE=$(mktemp)
+cat - > "$TMPFILE"
+/usr/local/bin/nfpcapd -r "$TMPFILE" -l .
+rm "$TMPFILE"
+for file in nfcapd.*
+do
+  /usr/local/bin/nfdump -r $file -o csv | head -n -3 | /opt/Brim/resources/app.asar.unpacked/zdeps/zq -i csv - > ${file}.zng
+done
diff --git a/examples/nfdump.yml b/examples/nfdump.yml
@@ -0,0 +1,55 @@
+analyzers:
+  - cmd: /usr/local/bin/nfdump-wrapper.sh
+    globs: ["*.zng"]
+    shaper: |
+      type netflow = {
+        ts: time,
+        te: time,
+        td: duration,
+        sa: ip,
+        da: ip,
+        sp: uint16,
+        dp: uint16,
+        pr: string,
+        flg: string,
+        fwd: bytes,
+        stos: bytes,
+        ipkt: uint64,
+        ibyt: uint64,
+        opkt: uint64,
+        obyt: uint64,
+        \in: uint64,
+        out: uint64,
+        sas: uint64,
+        das: uint64,
+        smk: uint8,
+        dmk: uint8,
+        dtos: bytes,
+        dir: uint8,
+        nh: ip,
+        nhb: ip,
+        svln: uint16,
+        dvln: uint16,
+        ismc: string,
+        odmc: string,
+        idmc: string,
+        osmc: string,
+        mpls1: string,
+        mpls2: string,
+        mpls3: string,
+        mpls4: string,
+        mpls5: string,
+        mpls6: string,
+        mpls7: string,
+        mpls8: string,
+        mpls9: string,
+        mpls10: string,
+        cl: float64,
+        sl: float64,
+        al: float64,
+        ra: ip,
+        eng: string,
+        exid: bytes,
+        tr: time
+      }
+      put this := shape(netflow)
diff --git a/examples/suricata-wrapper.sh b/examples/suricata-wrapper.sh
@@ -0,0 +1,2 @@
+#!/bin/bash -e
+exec /usr/bin/suricata -r /dev/stdin
diff --git a/examples/zeek-suricata.yml b/examples/zeek-suricata.yml
@@ -0,0 +1,53 @@
+analyzers:
+  - cmd: /usr/local/bin/zeek-wrapper.sh
+  - cmd: /usr/local/bin/suricata-wrapper.sh
+    globs: ["eve.json"]
+    shaper: |
+      type port=uint16;
+      type alert = {
+        timestamp: time,
+        event_type: bstring,
+        src_ip: ip,
+        src_port: port,
+        dest_ip: ip,
+        dest_port: port,
+        vlan: [uint16],
+        proto: bstring,
+        app_proto: bstring,
+        alert: {
+          severity: uint16,
+          signature: bstring,
+          category: bstring,
+          action: bstring,
+          signature_id: uint64,
+          gid: uint64,
+          rev: uint64,
+          metadata: {
+            signature_severity: [bstring],
+            former_category: [bstring],
+            attack_target: [bstring],
+            deployment: [bstring],
+            affected_product: [bstring],
+            created_at: [bstring],
+            performance_impact: [bstring],
+            updated_at: [bstring],
+            malware_family: [bstring],
+            tag: [bstring]
+          }
+        },
+        flow_id: uint64,
+        pcap_cnt: uint64,
+        tx_id: uint64,
+        icmp_code: uint64,
+        icmp_type: uint64,
+        tunnel: {
+          src_ip: ip,
+          src_port: port,
+          dest_ip: ip,
+          dest_port: port,
+          proto: bstring,
+          depth: uint64
+        },
+        community_id: bstring
+      }
+      filter event_type=="alert" | put this := shape(alert) | rename ts := timestamp
diff --git a/examples/zeek-wrapper.sh b/examples/zeek-wrapper.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec /opt/zeek/bin/zeek -C -r - --exec "event zeek_init() { Log::disable_stream(PacketFilter::LOG); Log::disable_stream(LoadedScripts::LOG); }" local

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#!/bin/bash -e`
	`2`	`+exec /usr/bin/suricata -r /dev/stdin`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#!/bin/bash`
	`2`	`+exec /opt/zeek/bin/zeek -C -r - --exec "event zeek_init() { Log::disable_stream(PacketFilter::LOG); Log::disable_stream(LoadedScripts::LOG); }" local`