GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → alias454 → graylog-zeek-content-pack

alias454 / graylog-zeek-content-pack

Licence: Apache-2.0 license
BRO/Zeek IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index BRO/Zeek logs coming from a remote sensor.

Labels

graylogbroidszeeksecurity-oniongraylog-content-pack

Projects that are alternatives of or similar to graylog-zeek-content-pack

Zeek-Network-Security-Monitor
A Zeek Network Security Monitor tutorial that will cover the basics of creating a Zeek instance on your network in addition to all of the necessary hardware and setup and finally provide some examples of how you can use the power of Zeek to have absolute control over your network.
Stars: ✭ 38 (+111.11%)
Mutual labels:  bro, zeek
TheBriarPatch
An extremely crude, lightweight Web Frontend for Suricata/Bro to be used with BriarIDS
Stars: ✭ 21 (+16.67%)
Mutual labels:  bro, ids
docker-zeek
Zeek IDS Dockerfile
Stars: ✭ 82 (+355.56%)
Mutual labels:  ids, zeek
Zeek
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
Stars: ✭ 4,180 (+23122.22%)
Mutual labels:  bro, zeek
Ivre
Network recon framework, published by @cea-sec & @ANSSI-FR. Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
Stars: ✭ 2,331 (+12850%)
Mutual labels:  bro, zeek
MegaDev
Bro IDS + ELK Stack to detect and block data exfiltration
Stars: ✭ 46 (+155.56%)
Mutual labels:  bro, zeek
zeek-docs
Documentation for Zeek
Stars: ✭ 41 (+127.78%)
Mutual labels:  bro, zeek
ivre
Network recon framework. Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
Stars: ✭ 2,712 (+14966.67%)
Mutual labels:  bro, zeek
wazuh-ansible
Wazuh - Ansible playbook
Stars: ✭ 166 (+822.22%)
Mutual labels:  ids
IPRadar2
Real-time detection and defense against malicious network activity and policy violations (exploits, port-scanners, advertising, telemetry, state surveillance, etc.)
Stars: ✭ 20 (+11.11%)
Mutual labels:  ids
graylog-plugin-logging-alert
Alert notification plugin for Graylog to generate log messages from alerts
Stars: ✭ 16 (-11.11%)
Mutual labels:  graylog
TNSR IDS
IDS using a port mirror, Snort and an alert -> RESTCONF utility
Stars: ✭ 30 (+66.67%)
Mutual labels:  ids
Fragscapy
Fragscapy is a command-line tool to fuzz network protocols by automating the modification of outgoing network packets. It can run multiple successive tests to determine which options can be used to evade firewalls and IDS.
Stars: ✭ 52 (+188.89%)
Mutual labels:  ids
graylog2-plugin-input-httpmonitor
HTTP Monitor plugin for graylog
Stars: ✭ 38 (+111.11%)
Mutual labels:  graylog
graylog-plugin-aws
Several bundled Graylog plugins to integrate with different AWS services like CloudTrail and FlowLogs.
Stars: ✭ 88 (+388.89%)
Mutual labels:  graylog
graylog-beats-plugin
Graylog input plugin for Elastic Beats
Stars: ✭ 19 (+5.56%)
Mutual labels:  graylog
wazuh-cloudformation
Wazuh - Amazon AWS Cloudformation
Stars: ✭ 32 (+77.78%)
Mutual labels:  ids
ML-IDS
An IDS implementation using machine learning
Stars: ✭ 30 (+66.67%)
Mutual labels:  ids
eewids
Easily Expandable Wireless Intrusion Detection System
Stars: ✭ 25 (+38.89%)
Mutual labels:  ids
mole
Yara powered NIDS with high speed packet capture powered by PF_RING
Stars: ✭ 51 (+183.33%)
Mutual labels:  ids
View All Similar Projects ➔

graylog-zeek-content-pack

Zeek IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index logs coming from a Zeek sensor.

If you are using Security Onion or an older versin of Zeek, the log files might be different and not contain the same exact fields.

See the full Description of Zeek IDS Default Log files
https://www.zeek.org/sphinx/script-reference/log-files.html

Working with Zeek logs 
https://www.zeek.org/sphinx/logs/index.html#working-with-log-files

Releases

Content for older versions of Graylog https://github.com/alias454/graylog-zeek-content-pack/releases

Provided Content

A Dashboard: Zeek IDS Information - Last 24 Hours
A Stream: Zeek IDS logs
An Input: ids-tcp-input (default port 13514)
Pipeline rules to get started with
Rsyslog conf to get started with

00-zeek.conf should go in the /etc/rsyslog.d/ directory after editing the appropriate values for your setup If selinux is enabled run semanage port -a -t syslogd_port_t -p tcp 13514

Requirements

Graylog v3.x.x or later for new content pack handling features
Rsyslog 8.x to use the replace() function if using rsyslog to ship logs
Zeek 2.6.x to use the pipeline files out of the box

editing pipeline configs will be required if using older versions of BRO/ZEEK

Security Onion:
If running with SO, verify pipeline field values prior to sending data

Setup Steps

  1. Configure Graylog Input (Installed with Content pack)
  2. Configure Stream for Graylog (Installed with Content pack)
  3. Configure Pipeline Rules Processing (Installed with Content pack)
  4. Point Zeek Sensor to Graylog (Manual Config on sensor) - Configure rsyslog or syslog-ng to allow sending logs to a remote source

Additional Setup Information

Manual pipeline rule setup  
http://docs.graylog.org/en/3.0/pages/pipelines/usage.html#configuration  

For a more detailed walk-through on setup for steps 1-3  
http://alias454.com/send-security-onion-logs-to-a-centralized-graylog-server/
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].