METRON-508 Expand Elasticsearch templates to support the standard bro logs

[JonZeolla]

Contributor Comments

This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the bro documentation and a fresh install of bro 2.4. There are future plans to expand on this via METRON-518 and METRON-908. Specifically, this attempts to provide initial support the default-on fields of the following logs:

• Conn
• DPD
• FTP
• Files
• CertsInfo
• SMTP
• SSL
• Weird
• Notice
• DHCP
• SSH
• Software
• Radius
• X509
• DevicesInfo

Testing

1. Create a working directory and pull in this PR

   mkdir ~/metron-508
   git clone https://github.com/apache/metron ~/metron-508/metron
   cd ~/metron-508/metron
   git remote add jonzeolla https://github.com/jonzeolla/metron
   git pull jonzeolla METRON-508
   

2. Modify this to remove sensors, (to spin up the real sensors).

   sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile
   

3. Start up full-dev.

   cd metron-deployment/vagrant/full-dev-platform
   vagrant up
   

4. Set up the environment in full-dev.

   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin
   service monit stop && service sensor-stubs stop bro && broctl stop
   yum -y install jq wireshark
   

5. Configure kafka in local.bro.

   sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro
   echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro
   echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro
   echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro
   sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro
   

6. Monitor the bro kafka topic

   # Open a new terminal
   cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform
   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin
   kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro
   

7. Monitor the storm logs.

   # Open a new terminal
   cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform
   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin
   # Look at the storm logs (The "failed to parse" errors for ip_src_addr and ip_dst_addr are expected, and should be addressed as a part of METRON-939)
   tail -f /var/log/storm/workers-artifacts/indexing-*/*/worker.log | grep -i "org.elasticsearch.index.mapper.MapperParsingException: failed to parse"
   # You may want to evaluate worker.log for other errors, but the prior command is helpful to cut through some of the failed indexing of IPv6 addresses
   

8. Run bro against some public pcaps.

   # In the first of your three terminals
   # These are kept separate so that the flat file log output won't stomp the prior ones, for ingest validation
   mkdir -p ~/brotmp/nitroba ~/brotmp/example-traffic ~/brotmp/ssh ~/brotmp/ftp ~/brotmp/radius
   wget https://www.bro.org/static/traces/exercise-traffic.pcap -O ~/brotmp/example-traffic/exercise-traffic.pcap
   wget http://downloads.digitalcorpora.org/corpora/network-packet-dumps/2008-nitroba/nitroba.pcap -O ~/brotmp/nitroba/nitroba.pcap
   wget https://www.bro.org/static/traces/ssh.pcap -O ~/brotmp/ssh/ssh.pcap
   wget https://github.com/markofu/pcaps/blob/master/PracticalPacketAnalysis/ppa-capture-files/ftp.pcap?raw=true -O ~/brotmp/ftp/ftp.pcap
   wget https://github.com/EmpowerSecurityAcademy/wireshark/blob/master/radius_localhost.pcapng?raw=true -O ~/brotmp/radius/radius_localhost.pcapng
   cd ~/brotmp/example-traffic
   bro -r exercise-traffic.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/nitroba
   bro -r nitroba.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/ssh
   bro -r ssh.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/ftp
   bro -r ftp.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/radius
   editcap -F libpcap radius_localhost.pcapng radius_localhost.pcap
   bro -r radius_localhost.pcap /usr/local/bro/share/bro/site/local.bro -C
   

9. Validate that terminals 2 and 3 don't have any errors that you don't expect.
10. Verify proper indexing in ES and availability in kibana.

    # Check around and make sure things look okay
    declare -a exists notexists; for protocol in http dns conn dpd dhcp ftp ssh ssl smtp radius weird files notice software known_certs x509 known_devices; do if [[ $(curl -s -XGET "node1:9200/bro*/_search?q=protocol:${protocol}" | jq '.hits.hits') == '[]' ]]; then notexists+=" ${protocol}"; else exists+=" ${protocol}"; fi; done; if [ ${#notexists[@]} -ne 0 ]; then echo -e "\n\n\033[0mThe following do exist in ES: ${exists[@]}\n\033[0;31mThe following do NOT exist in ES: ${notexists[@]}\033[0m"; else echo 'All of the log types are in ES!  Success!'; fi; unset exists notexists
    # Check Kibana.  For example:  http://node1:5000/app/kibana#/visualize/create?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-15y,mode:quick,to:now))&_a=(filters:!(),linked:!f,query:(query_string:(analyze_wildcard:!t,query:'*')),uiState:(),vis:(aggs:!((id:'3',params:(field:protocol,orderBy:'2',size:20),schema:segment,type:terms),(id:'2',schema:metric,type:count)),type:histogram))&indexPattern=bro*&type=histogram
    # OPTIONAL testing
    # Run `/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head` and look around
    curl -XGET node1:9200/_cat/indices # First column should be all green
    curl -XGET "node1:9200/bro*/_count" # Check the count of entries in the bro index, you can re-run bro against specific PCAPs and watch this increase, etc.
    

Pull Request Checklist

Thank you for submitting a contribution to Apache Metron.
Please refer to our Development Guidelines for the complete guide to follow for contributions.
Please refer also to our Build Verification Guidelines for complete smoke testing guides.

In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:

For all changes:

• Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
• Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
• Has your PR been rebased against the latest commit within the target branch (typically master)?

For code changes:

• Have you included steps to reproduce the behavior or problem that is being changed or addressed?
• Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that travis-ci is set up for your personal repository such that your branches are built there before submitting a pull request.

[nickwallen]

Still need to review, but this is a great addition Jon.

What pairs nicely with this is to expand the unit tests for the Bro parser to test the other log types that you include in this PR. Right now only HTTP and DNS are tested there. We can tackle separately if you like.

[JonZeolla]

Didn't I do that?

[simonellistonball]

Looks like there are some good unit tests, though maybe not for every new type you mention, or that could come in. Seems like decent coverage though. I wonder, is it worth adding something in the integration tests as well, especially prior to 777 to avoid accidentally regressing this work when that lands?

[nickwallen]

Actually, I meant the integration tests. The stuff under metron-platform/metron-integration-test/src/main/sample/data/bro.

[JonZeolla]

@simonellistonball Right, I'm not attempting to cover any type of log that can come in, based on the bro documentation, because bro logs are heavily extensible and therefore it is hard to detect what all could come in from a given bro install. There are also a lot of fields that exist in the bro documentation for a specific log type that are not on by default, but can be turned on. I plan to step towards support of those fields with various PRs, but not do it all with this first stab unless it's strongly encouraged.

That said, I will do some more work on the unit and integration tests to get better coverage, as there most definitely may be some missing, optional fields which I didn't catch in the tests.

@nickwallen Right, that makes sense. In a minute I'll push out my first pass at the integration tests, and I'll take another look at the tests this coming week and fill in any of the gaps.

As an aside, I explicitly did not add these new logs to the bro sensor-stub, but I would consider doing so at some point in the future. Since there isn't a default dashboard that uses these logs, I didn't think it would be very useful.

[simonellistonball]

Fantastic! Good to see more integration tests in there and great to see additional data ingested. I'm +1 (non-binding) on this.

[JonZeolla]

I updated the instructions to reflect the repo name change; hopefully it should work but I won't have a chance to test it out for a couple of days.

[JonZeolla]

Per @simonellistonball 's comments in #531 I added initial support for the native way that Bro handles tracking DHCP's Client ID field and updated the above instructions appropriately.

[JonZeolla]

Bump

[justinleet]

I'd like to see these pulled out and using @Multiline for readability. Given that it's not currently in this format, I'm not opposed to just leaving it, but it does make it easier to understand at a glance. Given that these all get touched anyway right now, it seems like the perfect time to refactor it.

Example:

  /**
   * {
   * "ts":1449511228.474,
   * "uid":"CFgSLp4HgsGqXnNjZi",
   * "id.orig_h":"104.130.172.191",
   * "id.orig_p":33893,
   * "id.resp_h":"69.20.0.164",
   * "id.resp_p":53,
   * "proto":"udp",
   * "trans_id":3514,
   * "rcode":3,
   * "rcode_name":"NXDOMAIN",
   * "AA":false,
   * "TC":false,
   * "RD":false,
   * "RA":false,
   * "Z":0,
   * "rejected":false,
   * "sensor":"cloudbro",
   * "type":"dns"
   * }
   */
  @Multiline
  public static String unwrappedBroMessage;
	public void testUnwrappedBroMessage() throws ParseException {
        JSONObject rawJson = (JSONObject)jsonParser.parse(unwrappedBroMessage);
        JSONObject broJson = broParser.parse(unwrappedBroMessage.getBytes()).get(0);

	String expectedBroTimestamp = "1449511228.474";
      	Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp);
        String expectedTimestamp = "1449511228474";
	Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp);

	Assert.assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString());
	Assert.assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString());
	Assert.assertEquals(broJson.get("ip_src_port"), rawJson.get("id.orig_p"));
        Assert.assertEquals(broJson.get("ip_dst_port"), rawJson.get("id.resp_p"));
        Assert.assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString());
        Assert.assertEquals(broJson.get("trans_id").toString(), rawJson.get("trans_id").toString());
        Assert.assertEquals(broJson.get("sensor").toString(), rawJson.get("sensor").toString());
        Assert.assertEquals(broJson.get("type").toString(), rawJson.get("type").toString());
        Assert.assertEquals(broJson.get("rcode").toString(), rawJson.get("rcode").toString());
        Assert.assertEquals(broJson.get("rcode_name").toString(), rawJson.get("rcode_name").toString());

	Assert.assertTrue(broJson.get("original_string").toString().startsWith("DNS"));
    }

[justinleet]

I did leave one comment about refactoring tests a bit, but I'm +1 regardless of if that change happens or not. Spun it up in full dev and was able to get all the types to show up in the histogram and things looked good all around.

Thanks for the great contribution!

[JonZeolla]

Thanks. I haven't used org.adrianwalker.multilinestring.Multiline before, took a quick shot with two of them, I'll do the rest when I have more time.

[justinleet]

One more multiline

[justinleet]

@JonZeolla Can you deconflict this?

[justinleet]

+1 still stands, pending Travis.

[JonZeolla]

@nickwallen @justinleet Can I get a quick review of my recent changes before I merge? Mostly focused on how I approached documenting the template, but feel free to comment on anything.

I just spun this up in full-dev and verified that my above steps are still valid and this works as intended. At this point I'm iteratively crossing my fingers and retrying Travis until it gets the whole way through and gives me a result. Can't wait for #624

[JonZeolla]

Last try before I merge in #624 and make it a dependancy.

[JonZeolla]

Out of sheer frustration I merged in #624 in its current state and got Travis to pass on the first try after over a dozen failures. Great work @justinleet @cestella and others. Obviously now this has a dependency of METRON-1004 so I've edited the title of this to include "[DO NOT MERGE UNTIL METRON-1004]". Still looking for a review - looking back I should have squash merged, but due to the simplicity of the changes in this PR, it's probably not worth going back and fixing it.

[justinleet]

@JonZeolla 1004 is in, but there's been a few changes in, so I'd ask that you double check that things still line up as expected. I'm going to look back through the changes this morning on here this morning, now that Travis actually works.

[JonZeolla]

Should be good to go now, pending Travis.

[justinleet]

+1. I'm good with the most recent changes, pending Travis.

[JonZeolla]

I spotted a duplicate in taking a scan of the template, so I ran grep '": {' metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template | sort | uniq -c | grep -v 1 to make sure that was the only one. I fixed it and pushed things up, along with other minor tweaks - Travis was successful so I plan to merge soon. I also put some thoughts for a follow-on PR in METRON-1010.