Skip to content
This repository has been archived by the owner on Jan 21, 2023. It is now read-only.

blacktop/docker-bro

Repository files navigation

bro-logo

Bro IDS Dockerfile (also see 🆕 blacktop/docker-zeek)

CircleCI License Docker Stars Docker Pulls Docker Image

This repository contains a Dockerfile of Bro-IDS blacktop/bro.

Table of Contents

Dependencies

Image Tags

$ docker images

REPOSITORY          TAG           SIZE
blacktop/bro        latest        22.2MB
blacktop/bro        2.5           22.2MB
blacktop/bro        pkg           107MB
blacktop/bro        elastic       67.4MB
blacktop/bro        redis         60.1MB
blacktop/bro        geoip         55.97MB
blacktop/bro        kafka         30.6MB
blacktop/bro        2.4.1         16.68MB
blacktop/bro        2.4           16.68MB

NOTE:

  • tag pkg is the same as tag 2.5, but includes the Bro Package Manager
  • tag elastic is the same as tag 2.5, but includes the elasticsearch plugin and the GeoIP database
  • tag redis is the same as tag 2.5, but includes the redis plugin and the GeoIP database
  • tag geoip is the same as tag 2.5, but includes the GeoIP database
  • tag kafka is the same as tag 2.5, but includes the kafka plugin
  • all tags include the af_packet plugin

Installation

  1. Install Docker.
  2. Download trusted build from public Docker Registry: docker pull blacktop/bro

Getting Started

$ wget https://github.com/blacktop/docker-bro/raw/master/pcap/heartbleed.pcap
$ wget https://github.com/blacktop/docker-bro/raw/master/scripts/local.bro
$ docker run --rm \
         -v `pwd`:/pcap \
         -v `pwd`/local.bro:/usr/local/share/bro/site/local.bro \  # All default modules loaded
         blacktop/bro -r heartbleed.pcap local "Site::local_nets += { 192.168.11.0/24 }"
$ ls -l

-rw-r--r--  1 blacktop  staff   635B Jul 30 12:11 conn.log
-rw-r--r--  1 blacktop  staff   754B Jul 30 12:11 files.log
-rw-r--r--  1 blacktop  staff   384B Jul 30 12:11 known_certs.log
-rw-r--r--  1 blacktop  staff   239B Jul 30 12:11 known_hosts.log
-rw-r--r--  1 blacktop  staff   271B Jul 30 12:11 known_services.log
-rw-r--r--  1 blacktop  staff    17K Jul 30 12:11 loaded_scripts.log
-rw-r--r--  1 blacktop  staff   1.9K Jul 30 12:11 notice.log <====== NOTICE
-rw-r--r--  1 blacktop  staff   253B Jul 30 12:11 packet_filter.log
-rw-r--r--  1 blacktop  staff   1.2K Jul 30 12:11 ssl.log
-rw-r--r--  1 blacktop  staff   901B Jul 30 12:11 x509.log
$ cat notice.log | awk '{ print $11 }' | tail -n4

Heartbleed::SSL_Heartbeat_Attack
Heartbleed::SSL_Heartbeat_Odd_Length
Heartbleed::SSL_Heartbeat_Attack_Success

Documentation

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

Credits

Alpine conversion heavily (if not entirely) influenced by https://github.com/nizq/docker-bro

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md and submit a Pull Request on GitHub.

License

MIT Copyright (c) 2015-2018 blacktop