如何使用Bro IDS和Intel Critical Stack分析網路活動

來自專欄 嘶吼RoarTalk

越來越多的網路攻擊迫使企業將其網路活動作為安全策略的一部分加以控制。

眾多供應商已經設計了多種入侵檢測系統（IDS）來幫助企業保護網路基礎設施。但是，由於商業IDS通常需要花費數千美元，因此該軟體對於小型企業而言可能是經濟上的負擔。幸運的是，開源IDS也可以很有效地達成目的。他們提供可修改的插件，可以動態掃描網路並確保檢測來自互聯網的入侵。

在本文中，我們提供了一份使用免費Bro IDS和Intel Critical Stack分析網路活動的研究的詳細報告。研究證明了這些系統實時檢測網路入侵者的有效性。此外，我們還使用ELK Stack來可視化僅對網路入侵分析有用的數據。本文對安全管理員和正在尋找檢測網路入侵和可疑活動的替代方案的DevSecOps非常有用。

一、研究目標

本研究的目標是使用開源工具的組合來建立一個有效的網路入侵分析環境。

作為主要的監測工具，我們選擇了Bro IDS，它是一種有效的開源解決方案，可收集有關企業內所有網路活動的信息。同時，它會生成大量的日誌，這些日誌沒有過濾或可視化，因而系統管理員很難開展分析。因此，我們需要定義哪些網路活動的日誌可能指示可疑活動，以及如何便利的可視化這些數據以便於進一步網路入侵分析。

二、途徑

我們想要構建一個組件數量最少的監控系統。

在測試環境中運行系統並獲取結果後，我們將調查這些結果，並為系統在真實網路環境中的部署提供建議。

我們測試的監控系統包含以下組件：

· 主機——生成網路活動的監視對象

· 網路入侵檢測系統IDS——對主機流量進行分散式分析的軟體

· 分析和可視化數據的系統

· 在物理硬體上運行的操作系統（OS），用於運行IDS的操作系統以及R數據分析和可視化工具

我們在包含多個虛擬機(複製企業環境)的測試實驗室中進行了所有實驗：

三、軟體簡介

為構建監測系統，我們選擇了以下軟體：

· IDS: Bro Network Security Monitor 和Intel Critical Stack

· 數據可視化: ELK Stack, 由Elasticsearch, Logstash和Kibana組成

· OS: Ubuntu 16.04 虛擬機，配置為internet 網關

什麼是Bro IDS？

Bro Network Security Monitor是一種Unix風格的入侵檢測系統，可監控網路流量並檢測入侵和異常活動。

Bro通過提取其應用層語義來解析網路流量。之後，它通過執行面向事件的Bro IDS協議分析器來檢測入侵，將當前流量與潛在的有害模式進行比較。作為這一分析的結果，Bro可以通過查找特定簽名或根據事件和特定條件自定義攻擊來檢測網路攻擊。

該系統還可用於檢測異常活動，例如多個主機與某些服務的連接或失敗的連接嘗試模式。

請記住，Bro不是干涉網路活動的內聯IDS。Bro與網路活動並行進行分析，並在發生攻擊或未經授權的訪問時發送警報（如果配置正確）。

為什麼我們使用其他軟體？

Intel Critical Stack是對Bro IDS的補充，它擁有檢測惡意軟體網站的簽名。我們安裝了Intel Critical Stack以及Bro IDS，然後收集了互聯網使用情況的數據，並將這些數據發送到Intel Critical Stack資料庫。因此，我們配置了Bro和Critical Stack Agent以便了解訪問了哪些惡意網站。

ELK Stack由三個產品（Elasticsearch，Logstash和Kibana）組成，是收集、歸一化、存儲、可視化和分析由Bro IDS生成的日誌數據所必需的。網路監控的結果寫在不同的日誌中，管理員並不一定總能理解這些日誌。因此，我們使用ELK Stack來顯示圖表數據，便於進行分析和制定決策。

我們使用的所有軟體都是公開的。

四、測試流程

我們通過以下方式對監測系統進行了測試：

1. 客戶向互聯網發送請求。由此，主機生成網路活動。

2. Bro使用tcpdump分析來自enp0s8 （eth1）介面的流量，並使用其插件（包括Intel Critical Stack）在日誌中分配記錄。

3. Elasticsearch使用Logstash分析Bro日誌並將其收集到本地資料庫中。

4. Kibana從資料庫中提取數據並構建模式。

五、數據可視化

為了以最方便的方式分析網路數據，我們選擇了Kibana，它可以清楚地揭示網路中的可疑活動。

我們選擇了以下圖表來顯示數據：

Connections count per minute chart顯示每分鐘連接總數。非工作時間內連接數量的增加可能是活動異常的標誌。

Top protocols chart顯示了通過網路傳輸的流量和流量類型。

Top 10 talkers chart顯示了最有可能被感染的電腦。

Top 10 HTTP requests chart顯示沒有加密的請求，因此這些網站可能會感染惡意軟體。

Top 10 remote ports chart顯示請求數量最多的埠。到一些埠的連接和請求數量每分鐘不斷增加可能表明可疑活動。

Bro log files顯示Bro文件中的記錄數量以及Bro IDS的整體狀態。

Top 10 malware domains chart包含Intel Critical Stack提供的惡意軟體資料庫的源數據。

六、資料庫清理

如上所述，在正常操作過程中，Bro產生大量的日誌文件。

但是，如果資料庫存儲空間有限，則可以在指定的時間段內清理它們。為了刪除不必要的數據，使用Logstash中的Curator並將每日任務添加到Crontab以刪除舊的ELK數據。

以下是actionfile.yml的內容，根據該內容，Curator選擇數據進行清理。

0 1 * * * curator /root/actionfile.ymlactionfile.yml:actions: 1: action: delete_indices description: >- options: ignore_empty_list: True timeout_override: continue_if_exception: False disable_action: False filters: - filtertype: pattern kind: prefix value: logstash- exclude: - filtertype: age source: name direction: older timestring: %Y.%m.%d unit: days unit_count: 30 exclude:

七、在真實網路上部署系統

在分析實驗室環境下的測試結果之後，我們得出結論，將系統部署在真實的網路上需要以下幾點：

· 具有埠鏡像的交換機

· 具有32+ GB RAM和6-10 TB硬碟的伺服器

請注意，需要的系統配置取決於網路服務提供商的帶寬。如果有幾個1 Gbps的通道，則需要安裝Arista，Cisco，Myricom或類似的高性能網路設備。

八、安裝和配置組件的指南

1.安裝Bro IDS

配置虛擬機

在研究中，我們使用了一個帶有兩塊網卡的虛擬機：一個用於互聯網連接，另一個用於Intranet連接。

要執行以下所有命令，需要root（超級用戶）許可權。從安裝DHCP伺服器開始：

apt-get install isc-dhcp-server

執行以下操作來配置它：

添加

INTERFACES="enp0s8"

打開文件/etc/sysctl.conf 並注釋掉到文件/etc/default/isc-dhcp-server

#net.ipv4.ip_forward=1

執行以下命令

sysctl -p /etc/sysctl.conf

在文件 /etc/network/interfaces中，需要指定以下內容：

auto loiface lo inet loopback auto enp0s8iface enp0s8 inet staticaddress 10.10.0.1netmask 255.255.255.0

配置路由

配置路由以便連接到內部網的計算機可以訪問互聯網。從打開防火牆開始：

ufw enable

然後運行rc-local。在計算機重啟後恢復iptables規則是必要的。

systemctl enable rc-local.service

打開文件 /etc/rc.local並添加

/sbin/iptables-restore < /etc/iptables/rules.v4

然後運行以下命令：

iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADEiptables -A FORWARD -i enp0s8 -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPTiptables -A INPUT -p tcp --dport 5601 -j ACCEPTiptables -A INPUT -p udp --dport 5601 -j ACCEPTiptables-save > /etc/iptables/rules.v4

接下來，將DHCP伺服器配置為自動接收IP地址。打開文件/etc/dhcp/dhcpd.conf並添加以下內容：

subnet 10.10.0.0 netmask 255.255.255.0 { range 10.10.0.50 10.10.0.150; option broadcast-address 10.10.0.255; option routers 10.10.0.1; option domain-name-servers 10.10.0.1, 8.8.8.8;}

安裝Bro所依賴的庫

為使Bro正常運行，需要安裝某些應用程序。因此運行以下命令：

apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig libgoogle-perftools-devmkdir -p /nsm/bro

安裝Bro IDS

要安裝Bro IDS，請運行以下命令：

cd ~

下載Bro IDS：

wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz

解壓：

tar -xvzf bro-2.4.1.tar.gzcd bro-2.4.1

配置安裝文件並安裝Bro IDS：

./configure --prefix=/nsm/bromakemake installexport PATH=/nsm/bro/bin:$PATH

配置Bro IDS

要配置Bro IDS，請指定將在node.cfg文件中監控網路流量的介面：

nano /nsm/bro/etc/node.cfg

指定應該監視哪個子網路在networks.cfg:

nano /nsm/bro/etc/networks.cfg

啟動Bro IDS

要啟動Bro，請運行以下命令：

/nsm/bro/bin/broctlinstallexit

編輯rc.local:

sudo nano /etc/rc.local

加上

/nsm/bro/bin/broctl start

然後重新啟動虛擬機

shutdown -r now

Bro IDS的WatchDog

WatchDog會在指定的時間段後自動啟動Bro以防崩潰：

crontab -e# add: */5 * * * * /nsm/bro/bin/broctl cron

Intel Critical Stack

為了將Intel Critical Stack添加到Bro IDS，需要訪問https://intel.criticalstack.com/， 創建感測器並訂閱feed。之後，在安裝了Bro IDS的虛擬機上運行以下命令：

curl https://packagecloud.io/install/repositories/criticalstack/critical-stack-intel/script.deb.sh | sudo bash

使用以下命令配置感測器：

apt-get install critical-stack-intelcritical-stack-intel api <your API key>

檢查並安裝接收到的更新：

broctl checkbroctl installbroctl restart

2.安裝ELK

apt-get update

安裝Java開發工具包：

apt-get install -y openjdk-8-jdkapt-get install -y wget apt-transport-httpswget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elk.listapt-get update

安裝ElasticSearch：

apt-get install -y elasticsearchsystemctl enable elasticsearchsystemctl start elasticsearch

安裝Logstash：

apt-get install -y logstashsystemctl start logstashsystemctl enable logstash

安裝並配置Kibana：

apt-get install -y kibananano /etc/kibana/kibana.ymlserver.host: "0.0.0.0"systemctl restart kibanasystemctl enable kibana

使用以下命令配置Logstash：

cd /etc/logstash/conf.d/wget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-conn_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-dns_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-files_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-http_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-intel_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-notice_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-ssh_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-ssl_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-tunnel_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-weird_log.confwget https://raw.githubusercontent.com/fakrul/bro-elk/master/bro-x509_log.conf

註：在conf文件中更改日誌文件的路徑。

然後安裝Logstash的Filter Translate插件：

cd /usr/share/logstash/bin/logstash-plugin install logstash-filter-translatesystemctl restart logstash

3.配置Kibana可視化

將以下JSON文件導入到Kibana中，獲取之前提到的可視化可疑網路活動的圖表。

[ { "_id": "AWHWhw9vuiCz3jvXS1Sb", "_type": "visualization", "_source": { "title": "TOP 10 REMOTE PORTS", "visState": "{"title":"TOP 10 REMOTE PORTS","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false,"sort":{"columnIndex":null,"direction":null},"showTotal":false,"totalFunc":"sum","type":"table"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"bucket","params":{"field":"id_resp_port.keyword","exclude":"0","size":10,"order":"desc","orderBy":"1","customLabel":"Remote Port"}}],"listeners":{}}", "uiStateJSON": "{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[{"meta":{"index":"AWHWHTYfuiCz3jvXGox0","negate":false,"disabled":false,"alias":null,"type":"phrase","key":"type.keyword","value":"bro-conn_log"},"query":{"match":{"type.keyword":{"query":"bro-conn_log","type":"phrase"}}},"$state":{"store":"appState"}}]}" } } }, { "_id": "AWHXprt1uiCz3jvX3lHz", "_type": "visualization", "_source": { "title": "TOP 10 MALWARE DOMAINS", "visState": "{"title":"TOP 10 MALWARE DOMAINS","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false,"sort":{"columnIndex":null,"direction":null},"showTotal":false,"totalFunc":"sum","type":"table"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"bucket","params":{"field":"seen.node.keyword","size":10,"order":"desc","orderBy":"1","customLabel":"Malware Domains"}}],"listeners":{}}", "uiStateJSON": "{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[]}" } } }, { "_id": "AWHWRzB1uiCz3jvXLjB9", "_type": "visualization", "_source": { "title": "TOP PROTOCOLS", "visState": "{"title":"TOP PROTOCOLS","type":"pie","params":{"addTooltip":true,"addLegend":true,"legendPosition":"right","isDonut":false,"type":"pie"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"proto.keyword","size":5,"order":"desc","orderBy":"1","customLabel":"Protocol"}}],"listeners":{}}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[{"meta":{"index":"AWHWHTYfuiCz3jvXGox0","negate":false,"disabled":false,"alias":null,"type":"phrase","key":"type.keyword","value":"bro-conn_log"},"query":{"match":{"type.keyword":{"query":"bro-conn_log","type":"phrase"}}},"$state":{"store":"appState"}}]}" } } }, { "_id": "AWHWq6wBuiCz3jvXXqYo", "_type": "visualization", "_source": { "title": "BRO LOGS", "visState": "{"title":"BRO LOGS","type":"table","params":{"perPage":3,"showMeticsAtAllLevels":false,"showPartialRows":false,"showTotal":true,"sort":{"columnIndex":null,"direction":null},"totalFunc":"sum","type":"table"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{"customLabel":"# OF RECORDS"}},{"id":"2","enabled":true,"type":"terms","schema":"bucket","params":{"field":"type.keyword","include":"","size":5,"order":"desc","orderBy":"1","customLabel":"LOG FILES"}}],"listeners":{}}", "uiStateJSON": "{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[{"meta":{"index":"AWHWHTYfuiCz3jvXGox0","type":"phrases","key":"type","value":"bro-conn_log, bro-http_log, bro-intel_log","params":["bro-conn_log","bro-http_log","bro-intel_log"],"negate":false,"disabled":false,"alias":null},"query":{"bool":{"should":[{"match_phrase":{"type":"bro-conn_log"}},{"match_phrase":{"type":"bro-http_log"}},{"match_phrase":{"type":"bro-intel_log"}}],"minimum_should_match":1}},"$state":{"store":"appState"}}]}" } } }, { "_id": "AWHWTDyouiCz3jvXMHmd", "_type": "visualization", "_source": { "title": "TOP 10 TALKERS", "visState": "{"title":"TOP 10 TALKERS","type":"histogram","params":{"grid":{"categoryLines":false,"style":{"color":"#eee"},"valueAxis":"ValueAxis-1"},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":false,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":0},"title":{"text":""}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"histogram","mode":"normal","data":{"label":"Count","id":"1"},"valueAxis":"ValueAxis-1","drawLinesBetweenPoints":true,"showCircles":true}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false,"type":"histogram","orderBucketsBySum":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"group","params":{"field":"id_orig_host.keyword","size":10,"order":"desc","orderBy":"1","customLabel":"Host"}}],"listeners":{}}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[{"meta":{"index":"AWHWHTYfuiCz3jvXGox0","negate":false,"disabled":false,"alias":null,"type":"phrase","key":"type.keyword","value":"bro-conn_log"},"query":{"match":{"type.keyword":{"query":"bro-conn_log","type":"phrase"}}},"$state":{"store":"appState"}}]}" } } }, { "_id": "AWHWRA0BuiCz3jvXLG2E", "_type": "visualization", "_source": { "title": "CONNECTIONS COUNT PER MINUTE", "visState": "{"title":"CONNECTIONS COUNT PER MINUTE","type":"line","params":{"addLegend":true,"addTimeMarker":false,"addTooltip":true,"categoryAxes":[{"id":"CategoryAxis-1","labels":{"show":true,"truncate":0},"position":"bottom","scale":{"type":"linear"},"show":true,"style":{},"title":{"text":"@timestamp per minute"},"type":"category"}],"grid":{"categoryLines":true,"style":{"color":"#eee"},"valueAxis":"ValueAxis-1"},"legendPosition":"top","seriesParams":[{"show":true,"mode":"normal","type":"line","drawLinesBetweenPoints":true,"showCircles":true,"data":{"id":"3","label":"Count"},"valueAxis":"ValueAxis-1"}],"times":[],"type":"line","valueAxes":[{"id":"ValueAxis-1","labels":{"filter":false,"rotate":0,"show":true,"truncate":100},"name":"LeftAxis-1","position":"left","scale":{"mode":"normal","type":"linear"},"show":true,"style":{},"title":{"text":"Count"},"type":"value"}]},"aggs":[{"id":"2","enabled":true,"type":"date_histogram","schema":"segment","params":{"field":"@timestamp","interval":"m","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}},{"id":"3","enabled":true,"type":"count","schema":"metric","params":{}}],"listeners":{}}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[{"meta":{"index":"AWHWHTYfuiCz3jvXGox0","negate":false,"disabled":false,"alias":null,"type":"phrase","key":"type.keyword","value":"bro-conn_log"},"query":{"match":{"type.keyword":{"query":"bro-conn_log","type":"phrase"}}},"$state":{"store":"appState"}}]}" } } }, { "_id": "AWHWefVTuiCz3jvXRbLT", "_type": "visualization", "_source": { "title": "TOP 10 HTTP REQUESTS", "visState": "{"title":"TOP 10 HTTP REQUESTS","type":"histogram","params":{"grid":{"categoryLines":false,"style":{"color":"#eee"},"valueAxis":"ValueAxis-1"},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":false,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":0,"filter":false},"title":{"text":""}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"histogram","mode":"normal","data":{"label":"Count","id":"1"},"valueAxis":"ValueAxis-1","drawLinesBetweenPoints":true,"showCircles":true}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false,"type":"histogram","orderBucketsBySum":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"group","params":{"field":"referrer.keyword","exclude":"-","size":10,"order":"desc","orderBy":"1","customLabel":"HTTP Host"}}],"listeners":{}}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"index":"AWHWHTYfuiCz3jvXGox0","query":{"match_all":{}},"filter":[{"meta":{"index":"AWHWHTYfuiCz3jvXGox0","negate":false,"disabled":false,"alias":null,"type":"phrase","key":"type.keyword","value":"bro-http_log"},"query":{"match":{"type.keyword":{"query":"bro-http_log","type":"phrase"}}},"$state":{"store":"appState"}}]}" } } }]

4. 配置Kibana儀錶板

[ { "_id": "AWHXaEbeuiCz3jvXvitY", "_type": "dashboard", "_source": { "title": "Statistics Dashboard", "hits": 0, "description": "", "panelsJSON": "[{"col":1,"id":"AWHWRA0BuiCz3jvXLG2E","panelIndex":1,"row":1,"size_x":12,"size_y":3,"type":"visualization"},{"col":1,"id":"AWHWRzB1uiCz3jvXLjB9","panelIndex":2,"row":4,"size_x":4,"size_y":3,"type":"visualization"},{"col":5,"id":"AWHWTDyouiCz3jvXMHmd","panelIndex":3,"row":4,"size_x":4,"size_y":3,"type":"visualization"},{"col":9,"id":"AWHWefVTuiCz3jvXRbLT","panelIndex":4,"row":4,"size_x":4,"size_y":3,"type":"visualization"},{"col":1,"id":"AWHWhw9vuiCz3jvXS1Sb","panelIndex":5,"row":7,"size_x":4,"size_y":5,"type":"visualization"},{"col":5,"id":"AWHWq6wBuiCz3jvXXqYo","panelIndex":6,"row":7,"size_x":4,"size_y":5,"type":"visualization"},{"col":9,"id":"AWHXprt1uiCz3jvX3lHz","panelIndex":7,"row":7,"size_x":4,"size_y":5,"type":"visualization"}]", "optionsJSON": "{"darkTheme":false}", "uiStateJSON": "{"P-5":{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}},"P-6":{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}},"P-7":{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}}}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { "searchSourceJSON": "{"filter":[{"query":{"match_all":{}}}],"highlightAll":true,"version":true}" } } }]

萬事俱備，開始監控網路吧！

九、總結

本文描述了使用開源工具分析網路活動的方法，特別是通過集成BRO IDS和Intel Critical Stack。

這種方法對於檢測受感染的計算機是有效的，並且除了勞動力成本之外不需要小企業的其他投入。

此外，還提供了關於如何配置Bro和Intel Critical Stack進行網路監控和數據收集的建議。最後，解釋了如何使用ELK Stack來顯示數據和解釋圖表。

參考

https://en.wikipedia.org/wiki/Intrusion_detection_system

https://www.bro.org/

https://intel.criticalstack.com/

https://www.elastic.co/

visualizations.zip

dashboard.zip

本文翻譯自：https://www.apriorit.com/dev-blog/532-analyzing-network-bro-intel-critical-stack如若轉載，請註明原文地址： http://www.4hou.com/technology/11721.html 更多內容請關注「嘶吼專業版」——Pro4hou

推薦閱讀：