METRON-883 Capture Bro Plugin Enhancements from bro/bro-plugins

[nickwallen]

There are two versions of the Bro Kafka Plugin. I authored both of these and contributed one to Metron and the other to Bro itself. The original goal of doing this was to eventually deprecate the version maintained in Metron, so that the wider community of Bro could use and support the plugin.

Since this time, Bro has created a plugin management mechanism and is no longer wanting to host plugins. They are asking individual maintainers to create their own Github repositories to maintain these plugins. This will require us to continue to support the Bro Kafka Plugin in Metron.

I had contributed additional enhancements to the version in bro/bro-plugins, which I would like to contribute back to Metron proper, since that is now the version that will live on. The enhancements address a potential thread-safety issue and also allows data from Bro to be directed to separate Kafka topics.

This will enable some follow-on work to package the plugin using Bro's package mechanism.

Validation

The following steps can be used to validate the PR.

1. Create a working directory.

   mkdir metron-temp
   cd metron-temp
   

2. Launch a CentOS host.

   vagrant init bento/centos-6.7
   vagrant up
   vagrant ssh
   

3. Install some dependencies.

   sudo su -
   yum -y install epel-release
   yum -y install "@Development tools" java-1.8.0-openjdk cmake libpcap-devel openssl-devel python-devel
   

4. Create a new Yum repository by creating the file /etc/yum.repos.d/HDP.repo with the following content. This will allow us to install Kafka.

   [HDP-2.5]
   name=HDP-2.5
   baseurl=http://public-repo-1.hortonworks.com/HDP/centos7/2.x/updates/2.5.3.0
   path=/
   enabled=1
   gpgcheck=0
   

5. Install and start Kafka.

   yum -y install kafka
   export PATH=$PATH:/usr/hdp/current/kafka-broker/bin
   zookeeper-server start
   kafka start
   

6. Install Librdkafka.

   wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz  -O - | tar -xz
   cd librdkafka-0.9.4/
   ./configure --prefix=/usr
   make
   make install
   

7. Add Librdkafka to our default load path.

   echo "/usr/lib" >> /etc/ld.so.conf.d/bro-plugin.conf
   ldconfig -v
   

8. Build and install Bro.

   yum -y install cmake libpcap-devel openssl-devel python-devel
   wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz  -O - | tar -xz
   cd bro-2.4.1
   ./configure --prefix=/usr
   make
   make install
   

9. Fetch the code from this PR.

   cd ~
   git clone https://github.com/apache/incubator-metron
   cd incubator-metron
   git pull origin pull/XXX/head
   

10. Install the Bro Plugin.

    cd incubator-metron/metron-sensors/bro-plugin-kafka
    ./configure --bro-dist=/root/bro-2.4.1 --install-root=/usr/lib/bro/plugins/ --with-librdkafka=/usr
    make
    make install
    

11. Add the following to /usr/share/bro/site/local.bro

    @load Bro/Kafka/logs-to-kafka.bro
    redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG);
    redef Kafka::topic_name = "bro";
    redef Kafka::tag_json = T;
    redef Kafka::kafka_conf = table( ["metadata.broker.list"] = "localhost:9092" );
    

12. Create a virtual interface called tap0 to listen on.

    yum install -y tunctl
    tunctl -p
    ifconfig tap0 10.0.0.1 up
    ip link set tap0 promisc on
    

13. Configure Bro to listen on virtual interface.

    sed -i 's/eth0/tap0/g' /usr/etc/node.cfg
    

14. Create a Kafka topic called bro.

    kafka-topics.sh --zookeeper localhost:2181 --create --topic bro --partitions 1 --replication-factor 1
    

15. Make sure the Bro changes are installed and start Bro.

    broctl deploy
    

16. Grab an example pcap file and replay some packet data through tap0. Keep this running in a separate session.

    wget https://github.com/apache/incubator-metron/raw/master/metron-deployment/roles/sensor-test-mode/files/example.pcap
    yum -y install tcpreplay
    tcpreplay -i tap0 --loop=0 --stats=5 example.pcap
    

17. Ensure that data is hitting the bro topic in Kafka.

    [root@localhost ~]# kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro --from-beginning
    OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
    {metadata.broker.list=localhost:9092, request.timeout.ms=30000, client.id=console-consumer-64669, security.protocol=PLAINTEXT}
    {"dns": {"ts":1493057575.978069,"uid":"CVttjf9fz4081JAwd","id.orig_h":"10.0.2.15","id.orig_p":36214,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":19156,"query":"github.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["192.30.253.113","192.30.253.112"],"TTLs":[41.0,41.0],"rejected":false}}
    {"dns": {"ts":1493057576.083925,"uid":"CRcPNQ18zLEP8lJ7Hb","id.orig_h":"10.0.2.15","id.orig_p":51495,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":63624,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}}
    {"dns": {"ts":1493057576.567493,"uid":"CR0XXs39ZZ4QSthcU6","id.orig_h":"10.0.2.15","id.orig_p":50301,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":29346,"query":"github.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["192.30.253.113","192.30.253.112"],"TTLs":[48.0,48.0],"rejected":false}}
    {"dns": {"ts":1493057576.613803,"uid":"C7bZL53vkLeoXclrO4","id.orig_h":"10.0.2.15","id.orig_p":40789,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":28614,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}}
    

Pull Request Checklist

• Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
• Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
• Has your PR been rebased against the latest commit within the target branch (typically master)?
• Have you included steps to reproduce the behavior or problem that is being changed or addressed?
• Have you included steps or a guide to how the change may be verified and tested manually?
• Have you ensured that the full suite of tests and checks have been executed in the root incubating-metron folder via:
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?

[JonZeolla]

+1 via inspection and testing steps provided above