You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by nickwallen <gi...@git.apache.org> on 2017/04/24 20:50:32 UTC
[GitHub] incubator-metron pull request #545: METRON-883 Capture Bro Plugin Enhancemen...
GitHub user nickwallen opened a pull request:
https://github.com/apache/incubator-metron/pull/545
METRON-883 Capture Bro Plugin Enhancements from bro/bro-plugins
There are two versions of the Bro Kafka Plugin. I authored both of these and contributed one to Metron and the other to Bro itself. The original goal of doing this was to eventually deprecate the version maintained in Metron, so that the wider community of Bro could use and support the plugin.
Since this time, Bro has created a plugin management mechanism and is no longer wanting to host plugins. They are asking individual maintainers to create their own Github repositories to maintain these plugins. This will require us to continue to support the Bro Kafka Plugin in Metron.
I had contributed additional enhancements to the version in bro/bro-plugins, which I would like to contribute back to Metron proper, since that is now the version that will live on. The enhancements address a potential thread-safety issue and also allows data from Bro to be directed to separate Kafka topics.
This will enable some follow-on work to package the plugin using Bro's package mechanism.
Validation
----------
The following steps can be used to validate the PR.
1. Create a working directory.
```
mkdir metron-temp
cd metron-temp
```
1. Launch a CentOS host.
```
vagrant init bento/centos-6.7
vagrant up
vagrant ssh
```
1. Install some dependencies.
```
sudo su -
yum -y install epel-release
yum -y install "@Development tools" java-1.8.0-openjdk cmake libpcap-devel openssl-devel python-devel
```
1. Create a new Yum repository by creating the file `/etc/yum.repos.d/HDP.repo` with the following content. This will allow us to install Kafka.
```
[HDP-2.5]
name=HDP-2.5
baseurl=http://public-repo-1.hortonworks.com/HDP/centos7/2.x/updates/2.5.3.0
path=/
enabled=1
gpgcheck=0
```
1. Install and start Kafka.
```
yum -y install kafka
export PATH=$PATH:/usr/hdp/current/kafka-broker/bin
zookeeper-server start
kafka start
```
1. Install Librdkafka.
```
wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O - | tar -xz
cd librdkafka-0.9.4/
./configure --prefix=/usr
make
make install
```
1. Add Librdkafka to our default load path.
```
echo "/usr/lib" >> /etc/ld.so.conf.d/bro-plugin.conf
ldconfig -v
```
1. Build and install Bro.
```
yum -y install cmake libpcap-devel openssl-devel python-devel
wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz -O - | tar -xz
cd bro-2.4.1
./configure --prefix=/usr
make
make install
```
1. Fetch the code from this PR.
```
cd ~
git clone https://github.com/apache/incubator-metron
cd incubator-metron
git pull origin pull/XXX/head
```
1. Install the Bro Plugin.
```
cd incubator-metron/metron-sensors/bro-plugin-kafka
./configure --bro-dist=/root/bro-2.4.1 --install-root=/usr/lib/bro/plugins/ --with-librdkafka=/usr
make
make install
```
1. Add the following to `/usr/share/bro/site/local.bro`
```
@load Bro/Kafka/logs-to-kafka.bro
redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG);
redef Kafka::topic_name = "bro";
redef Kafka::tag_json = T;
redef Kafka::kafka_conf = table( ["metadata.broker.list"] = "localhost:9092" );
```
1. Create a virtual interface called `tap0` to listen on.
```
yum install -y tunctl
tunctl -p
ifconfig tap0 10.0.0.1 up
ip link set tap0 promisc on
```
1. Configure Bro to listen on virtual interface.
```
sed -i 's/eth0/tap0/g' /usr/etc/node.cfg
```
1. Create a Kafka topic called `bro`.
```
kafka-topics.sh --zookeeper localhost:2181 --create --topic bro --partitions 1 --replication-factor 1
```
1. Make sure the Bro changes are installed and start Bro.
```
broctl deploy
```
1. Grab an example pcap file and replay some packet data through `tap0`. Keep this running in a separate session.
```
wget https://github.com/apache/incubator-metron/raw/master/metron-deployment/roles/sensor-test-mode/files/example.pcap
yum -y install tcpreplay
tcpreplay -i tap0 --loop=0 --stats=5 example.pcap
```
1. Ensure that data is hitting the `bro` topic in Kafka.
```
[root@localhost ~]# kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro --from-beginning
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
{metadata.broker.list=localhost:9092, request.timeout.ms=30000, client.id=console-consumer-64669, security.protocol=PLAINTEXT}
{"dns": {"ts":1493057575.978069,"uid":"CVttjf9fz4081JAwd","id.orig_h":"10.0.2.15","id.orig_p":36214,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":19156,"query":"github.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["192.30.253.113","192.30.253.112"],"TTLs":[41.0,41.0],"rejected":false}}
{"dns": {"ts":1493057576.083925,"uid":"CRcPNQ18zLEP8lJ7Hb","id.orig_h":"10.0.2.15","id.orig_p":51495,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":63624,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}}
{"dns": {"ts":1493057576.567493,"uid":"CR0XXs39ZZ4QSthcU6","id.orig_h":"10.0.2.15","id.orig_p":50301,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":29346,"query":"github.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["192.30.253.113","192.30.253.112"],"TTLs":[48.0,48.0],"rejected":false}}
{"dns": {"ts":1493057576.613803,"uid":"C7bZL53vkLeoXclrO4","id.orig_h":"10.0.2.15","id.orig_p":40789,"id.resp_h":"10.0.2.3","id.resp_p":53,"proto":"udp","trans_id":28614,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}}
```
## Pull Request Checklist
- [X] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [X] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [X] Has your PR been rebased against the latest commit within the target branch (typically master)?
- [X] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
- [X] Have you included steps or a guide to how the change may be verified and tested manually?
- [X] Have you ensured that the full suite of tests and checks have been executed in the root incubating-metron folder via:
- [X] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [X] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/nickwallen/incubator-metron METRON-883
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/545.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #545
----
commit 2249b31211dd5856a9ae63fa03623091aeb5a983
Author: Nick Allen <ni...@nickallen.org>
Date: 2017-04-24T17:35:32Z
METRON-883 Capture Bro Plugin Enhancements from bro/bro-plugins
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron pull request #545: METRON-883 Capture Bro Plugin Enhancemen...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/incubator-metron/pull/545
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #545: METRON-883 Capture Bro Plugin Enhancements from...
Posted by JonZeolla <gi...@git.apache.org>.
Github user JonZeolla commented on the issue:
https://github.com/apache/incubator-metron/pull/545
+1 via inspection and testing steps provided above
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---