Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Zeek (Bro) Installed on Security Onion

Zeek (Bro) Installed on Security Onion

Bro/Zeek is an OpenSource network analysis product that is also installed as part of Security Onion.

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
Syslog Event Collection

Event Types

  • Bro-dhcp /Regular Traffic/Permit - Traffic A DHCP conversation
  • Bro-dns /Regular Traffic/Permit - Traffic DNS activity log
  • Bro-conn /Regular Traffic/Permit - Traffic TCP/UDP/ICMP connections
  • Bro-app_stats /Info - Statistics about APP
  • Bro-radius /Info - RADIUS analysis activity
  • Bro-known_devices /Info - Bro known devices

Rules

Generic Rules matching categories.

Reports

Generic Reports matching categories.

Configuration

Complete the following task on Onion Security, as this is crucial to get the headers working in the parser:

Add the following code in the /etc/syslog-ng/syslog-ng.conf file, but change <IP> to the IP of the FortiSIEM Super/Worker/Collector which will receive the syslog:

destination d_fortisiem { tcp("<IP>" port(514));};

log {

source(s_bro_dns);

source(s_bro_dhcp);

log { filter(f_bro_headers); };

log { destination(d_fortisiem);};

};

Sample Events

<13>Mar 25 11:02:24 sec-sensor-ps bro_dns: {"ts":"2019-03-25T11:02:22.485187Z","uid":"CEBf4c2FoLEBtbPLn6","id.orig_h":"10.8.20.21","id.orig_p":50837,"id.resp_h":"10.8.1.203","id.resp_p":53,"proto":"udp","trans_id":25959,"rtt":0.000357,"query":"tsomething.my.somewhere.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["um1.my. somewhere.com","um1-lo3.my. somewhere.com","um1-lo3.lo3.r.my. somewhere.com","55.66.8.24","55.66.8.152","55.66.9.24"],"TTLs":[136.0,5.0,146.0,5.0,5.0,5.0],"rejected":false}

Zeek (Bro) Installed on Security Onion

Zeek (Bro) Installed on Security Onion

Bro/Zeek is an OpenSource network analysis product that is also installed as part of Security Onion.

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
Syslog Event Collection

Event Types

  • Bro-dhcp /Regular Traffic/Permit - Traffic A DHCP conversation
  • Bro-dns /Regular Traffic/Permit - Traffic DNS activity log
  • Bro-conn /Regular Traffic/Permit - Traffic TCP/UDP/ICMP connections
  • Bro-app_stats /Info - Statistics about APP
  • Bro-radius /Info - RADIUS analysis activity
  • Bro-known_devices /Info - Bro known devices

Rules

Generic Rules matching categories.

Reports

Generic Reports matching categories.

Configuration

Complete the following task on Onion Security, as this is crucial to get the headers working in the parser:

Add the following code in the /etc/syslog-ng/syslog-ng.conf file, but change <IP> to the IP of the FortiSIEM Super/Worker/Collector which will receive the syslog:

destination d_fortisiem { tcp("<IP>" port(514));};

log {

source(s_bro_dns);

source(s_bro_dhcp);

log { filter(f_bro_headers); };

log { destination(d_fortisiem);};

};

Sample Events

<13>Mar 25 11:02:24 sec-sensor-ps bro_dns: {"ts":"2019-03-25T11:02:22.485187Z","uid":"CEBf4c2FoLEBtbPLn6","id.orig_h":"10.8.20.21","id.orig_p":50837,"id.resp_h":"10.8.1.203","id.resp_p":53,"proto":"udp","trans_id":25959,"rtt":0.000357,"query":"tsomething.my.somewhere.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["um1.my. somewhere.com","um1-lo3.my. somewhere.com","um1-lo3.lo3.r.my. somewhere.com","55.66.8.24","55.66.8.152","55.66.9.24"],"TTLs":[136.0,5.0,146.0,5.0,5.0,5.0],"rejected":false}