Zeek (Bro) Installed on Security Onion
Bro/Zeek is an OpenSource network analysis product that is also installed as part of Security Onion.
What is Discovered and Monitored
Protocol | Information Discovered | Metrics collected | Used for |
Syslog | Event Collection |
Event Types
Bro-dhcp /Regular Traffic/Permit
- Traffic A DHCP conversationBro-dns /Regular Traffic/Permit
- Traffic DNS activity logBro-conn /Regular Traffic/Permit
- Traffic TCP/UDP/ICMP connectionsBro-app_stats /Info
- Statistics about APPBro-radius /Info
- RADIUS analysis activityBro-known_devices /Info
- Bro known devices
Rules
Generic Rules matching categories.
Reports
Generic Reports matching categories.
Configuration
Complete the following task on Onion Security, as this is crucial to get the headers working in the parser:
Add the following code in the /etc/syslog-ng/syslog-ng.conf
file, but change <IP>
to the IP of the FortiSIEM Super/Worker/Collector which will receive the syslog:
destination d_fortisiem { tcp("<IP>" port(514));};
log {
source(s_bro_dns);
source(s_bro_dhcp);
log { filter(f_bro_headers); };
log { destination(d_fortisiem);};
};
Sample Events
<13>Mar 25 11:02:24 sec-sensor-ps bro_dns: {"ts":"2019-03-25T11:02:22.485187Z","uid":"CEBf4c2FoLEBtbPLn6","id.orig_h":"10.8.20.21","id.orig_p":50837,"id.resp_h":"10.8.1.203","id.resp_p":53,"proto":"udp","trans_id":25959,"rtt":0.000357,"query":"tsomething.my.somewhere.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["um1.my. somewhere.com","um1-lo3.my. somewhere.com","um1-lo3.lo3.r.my. somewhere.com","55.66.8.24","55.66.8.152","55.66.9.24"],"TTLs":[136.0,5.0,146.0,5.0,5.0,5.0],"rejected":false}