Bro IDS Dockerfile (also see 🆕 blacktop/docker-zeek)
This repository contains a Dockerfile of Bro-IDS blacktop/bro.
Table of Contents
- Dependencies
- Image Tags
- Installation
- Getting Started
- Documentation
- Issues
- Todo
- CHANGELOG
- Contributing
- License
$ docker images
REPOSITORY TAG SIZE
blacktop/bro latest 22.2MB
blacktop/bro 2.5 22.2MB
blacktop/bro pkg 107MB
blacktop/bro elastic 67.4MB
blacktop/bro redis 60.1MB
blacktop/bro geoip 55.97MB
blacktop/bro kafka 30.6MB
blacktop/bro 2.4.1 16.68MB
blacktop/bro 2.4 16.68MB
NOTE:
- tag pkg is the same as tag 2.5, but includes the Bro Package Manager
- tag elastic is the same as tag 2.5, but includes the elasticsearch plugin and the GeoIP database
- tag redis is the same as tag 2.5, but includes the redis plugin and the GeoIP database
- tag geoip is the same as tag 2.5, but includes the GeoIP database
- tag kafka is the same as tag 2.5, but includes the kafka plugin
- all tags include the af_packet plugin
- Install Docker.
- Download trusted build from public Docker Registry:
docker pull blacktop/bro
$ wget https://github.com/blacktop/docker-bro/raw/master/pcap/heartbleed.pcap
$ wget https://github.com/blacktop/docker-bro/raw/master/scripts/local.bro
$ docker run --rm \
-v `pwd`:/pcap \
-v `pwd`/local.bro:/usr/local/share/bro/site/local.bro \ # All default modules loaded
blacktop/bro -r heartbleed.pcap local "Site::local_nets += { 192.168.11.0/24 }"
$ ls -l
-rw-r--r-- 1 blacktop staff 635B Jul 30 12:11 conn.log
-rw-r--r-- 1 blacktop staff 754B Jul 30 12:11 files.log
-rw-r--r-- 1 blacktop staff 384B Jul 30 12:11 known_certs.log
-rw-r--r-- 1 blacktop staff 239B Jul 30 12:11 known_hosts.log
-rw-r--r-- 1 blacktop staff 271B Jul 30 12:11 known_services.log
-rw-r--r-- 1 blacktop staff 17K Jul 30 12:11 loaded_scripts.log
-rw-r--r-- 1 blacktop staff 1.9K Jul 30 12:11 notice.log <====== NOTICE
-rw-r--r-- 1 blacktop staff 253B Jul 30 12:11 packet_filter.log
-rw-r--r-- 1 blacktop staff 1.2K Jul 30 12:11 ssl.log
-rw-r--r-- 1 blacktop staff 901B Jul 30 12:11 x509.log
$ cat notice.log | awk '{ print $11 }' | tail -n4
Heartbleed::SSL_Heartbeat_Attack
Heartbleed::SSL_Heartbeat_Odd_Length
Heartbleed::SSL_Heartbeat_Attack_Success
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.
Alpine conversion heavily (if not entirely) influenced by https://github.com/nizq/docker-bro
See CHANGELOG.md
See all contributors on GitHub.
Please update the CHANGELOG.md and submit a Pull Request on GitHub.
MIT Copyright (c) 2015-2018 blacktop