|
3 | 3 | Threat Hunting with Bro and MISP |
4 | 4 |
|
5 | 5 |
|
6 | | -This modules uses the the built-in Bro Intelligence Framework to load and monitor signatures from MISP automatically. Indicators are downloaded from MISP every 6 hours and hits, called sightings are reported back to MISP immediately. The module also includes a customized version of Jan Grashoefer's expiration code to remove indicators after 7 hours after they are deleted from MISP. |
| 6 | +This module uses the the built-in Bro Intelligence Framework to load and monitor signatures from MISP automatically. Indicators are downloaded from MISP every 6 hours and hits, called sightings, are reported back to MISP immediately. The module also includes a customized version of Jan Grashoefer's expiration code to remove indicators after 7 hours after they are deleted from MISP. |
7 | 7 |
|
8 | 8 |
|
9 | 9 | Indicators are downloaded automatically every 6 hours. Indicators should expire after 7 hours if removed from MISP. |
10 | 10 |
|
11 | 11 |
|
12 | 12 | Indicators are downloaded and read into memory. Content signatures in signatures.sig which is not yet automatically downloaded. MISP does not yet support bro content signatures, this module will be updated for downloading those when available. |
13 | 13 |
|
| 14 | +## Screencaps |
14 | 15 |
|
15 | | -## Official Source |
16 | | - |
17 | | -https://dovehawk.io/ (coming soon) |
18 | | - |
19 | | -https://github.com/tylabs/dovehawk/ |
| 16 | + |
20 | 17 |
|
| 18 | + |
21 | 19 |
|
22 | | -## Requirements |
| 20 | + |
23 | 21 |
|
24 | | -Bro IDS: tested with version version 2.5.4. |
25 | | - |
26 | | -Curl: command line tool for accessing web content, tested with curl 7.54.0. |
27 | | - |
28 | | - |
29 | | -## Quick Start |
| 22 | +## Official Source |
30 | 23 |
|
31 | | -Rename misp_config.bro.default to misp_config.bro. Edit misp_config.bro and add your MISP API key and URLs for the Bro Export and Sightings. |
| 24 | +https://dovehawk.io/ |
32 | 25 |
|
| 26 | +https://github.com/tylabs/dovehawk/ |
33 | 27 |
|
34 | 28 |
|
35 | 29 | ## Related Projects |
36 | 30 |
|
37 | 31 | http://www.misp-project.org/ MISP |
38 | 32 |
|
39 | | -https://www.bro.org Bro IDS |
40 | | - |
41 | | - |
42 | | -## Monitoring and context |
43 | | - |
44 | | -The bro module outputs hits to the console, logs to file, and could send metadata to another web hook. |
45 | | - |
46 | | - |
47 | | -## Usage |
48 | | - |
49 | | -If running bro directly, reference the Dovehawk folder: |
50 | | - |
51 | | -sudo bro -i en1 [FULL PATH]/Dovehawk |
52 | | - |
53 | | -If running using the broctl interface, edit the local.bro configuration file in /usr/local/bro/share/bro/site and, at the bottom, add the line: |
54 | | - |
55 | | -@load [FULL PATH]/Dovehawk |
56 | | - |
57 | | -then run the broctl deploy sequence to have the scripts installed. |
58 | | - |
59 | | - |
60 | | -## BRO Tips |
61 | | - |
62 | | -When running locally (ie running Bro on the same system you are generating traffic from), you may need to use the -C option to ignore checksum validation. |
63 | | - |
64 | | - |
65 | | -## Optional Disable local logging |
66 | | - |
67 | | -Add "Log::default_writer=Log::WRITER_NONE" to the command. |
68 | | - |
69 | | -bro -i en0 Dovehawk Log::default_writer=Log::WRITER_NONE |
70 | | - |
71 | | - |
72 | | -## Maintenance |
73 | | - |
74 | | -For long term monitoring, if not disabling logs as above, use broctl to launch, rotate logs, and restart after crashes. |
75 | | - |
| 33 | +https://www.bro.org/ Bro IDS |
76 | 34 |
|
77 | 35 |
|
78 | 36 | # Special Thanks |
|
0 commit comments