Highlighted
962 views

Bro IDS parsing from Security Onion

Jump to solution

Hello,

I have a SecurityOnion setup in my network and it primarily runs on Bro IDS.

ArcSight has a specific connector for Bro IDS but it is a local one and Security Onion uses Ubuntu 12.04 where I'm not able to install the connector because of java errors.

ubuntu_connector.PNG

So my question is why ArcSight Syslog-NG connector does not understand Bro IDS logs and how do I make it work?

The system is 64bit by default and 64bit linux connector does not have a Bro IDS module.

So what is my options? Mount the folder to a remote server for parsing? Or is there something better?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
seniorj@bennett Absent Member.
Absent Member.

Re: Bro IDS parsing from Security Onion

Jump to solution

apt-get install ia32-libs or program:i386

Your strace will probably show that the java binary is not a valid ELF executable - kernel doesn't know what to do with it.

0 Likes
8 Replies
Established Member.. sivector1
Established Member..

Re: Bro IDS parsing from Security Onion

Jump to solution

Yeah. Your going to run into issues on the 64 bit connector only supporting a limited amount connectors. Your best bet is to drop a 32 bit connector, which should be compatible with a 64 bit platforms.

In regards to the Syslog-NG connector. That does not suprise me. I ran into the same issue with Apache logs that were been delievered via syslog and it would not work natively out of the box. I am thinking that that connector is customed to seeing syslog data from the true source and not an intermediary / relay.

As for Bro, are you intending to collect the data from the sensors themselve or a manager? Also, what data within /nsm/ directory are you attempting to parse?

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Bro IDS parsing from Security Onion

Jump to solution

The root cause for your issue may just be missing 32-bit compatibility libraries and possibly a missing 'unzip' binary.

Run the arcsight installer through strace -e open,access to diagnose further.  You will probably see somethign there.

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Bro IDS parsing from Security Onion

Jump to solution

apt-get install ia32-libs or program:i386

Your strace will probably show that the java binary is not a valid ELF executable - kernel doesn't know what to do with it.

0 Likes

Re: Bro IDS parsing from Security Onion

Jump to solution

Thank you,

This helped and everything works now.

0 Likes

Re: Bro IDS parsing from Security Onion

Jump to solution

But I now noticed another thing. Bro IDS moves logs every hour to a different folder and archives them. New files are named the same as the ones before and now ArcSight does not read the new files because it stores the position it last read from that file.

Currently I tried setting:

agents[0].followexternalrotation=true

0 Likes
Honored Contributor.. wsladek1 Honored Contributor..
Honored Contributor..

Re: Bro IDS parsing from Security Onion

Jump to solution

The rotation issue is common.  Apparently a Flexconnector will recognize rotation just fine (but you'd obviously have to write the parser) although personally I just restart the bro connector process.

Here's a post discussing the issue more in depth.

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Bro IDS parsing from Security Onion

Jump to solution

Dear Gediminas Margis,

I confirm that the answer of JP Senior is correct. When you install a SmartConnector 32bits on a system 64bits you need to verify that the 32bits libraries are installed..

Regarding the SmartConnector User Guide (pdf), you have to do that all the time:

I had exactly the same error message in trying to install JSON connector on 64bits debian system.

I have succeeded to install it after having installed the missing library libc6-i386.

Maybe other libraries are necessary for your connector.

Thanks

Best Regards

Michael

0 Likes
Established Member.. sivector1
Established Member..

Re: Bro IDS parsing from Security Onion

Jump to solution

Ward - Larry,

Hey. For bro, if you have not figured it out yet. Use the BRO NG connector..

agents[0].logfilehome=/nsm/bro/logs/current

agents[0].wildcard=*.log

agents[0].rotationscheme=Daily

It still throws some exceptions based on the built in file naming structure that it's looking for. i.e

FATAL EXCEPTION:

Did not find log files of type [tunnel]

but does seem to recognize other file objects based on wildcard..

[Wed Oct 14 16:06:04 UTC 2015] [INFO ] Created all streams/readers for the file[/nsm/bro/logs/current/ssh.log] successfully.

[Wed Oct 14 16:06:04 UTC 2015] [INFO ] Seeked to byte offset[1476] in the file[/nsm/bro/logs/current/ssh.log] successfully.

It also seems to be reading old archived logs. Still testing...

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.