-
Notifications
You must be signed in to change notification settings - Fork 29
Bro Logs
Anthony VEREZ edited this page Aug 6, 2014
·
3 revisions
This example builds a graph from an HTTP Bro log. It makes these connections:
+----------+ +---------+
| | | |
| source | | user |
| IP +-------> agent +----+ +--------+
| | | | | | |
+----------+ +---------+ +---> host |
+---> |
+----------+ | | |
| | | +--------+
| referrer +---+
| |
+----------+
One example log is included, which was parsed from a packet capture on http://malware-traffic-analysis.net.
$ cd examples
$ ./bro_graph.py ./sample/http.log
Opening ./sample/http.log
Building graph...
Writing results to ./sample/http.json
$ cd /path/to/Visualization/graphiti
$ ./graphiti demo /path/to/semanticnet/examples/sample/http.jsonTo build a graph from your own packet capture, you simply run tcpdump and parse it with bro:
$ tcpdump -i <your_network_interface> -w outfile.cap
tcpdump: listening on <your_network_interface>, link-type EN10MB (Ethernet), capture size 65535 bytes
^C307 packets captured
309 packets received by filter
0 packets dropped by kernel
$ bro -r outfile.cap
$ ./bro_graph.py /path/to/generated/http.log http.json
Opening /path/to/generated/http.log
Building graph...
Writing results to http.json
$ cd /path/to/Visualization/graphiti
$ ./graphiti demo /path/to/http.json