METRON-1261: Apply bro security patch

[JonZeolla]

Contributor Comments

This should update the version of bro that is auto-installed by full-dev/quick-dev, and update some manual instructions for setting up bro to use bro 2.4.2, which recently had a security patch applied (details here).

Additional testing instructions coming soon.

Pull Request Checklist

Thank you for submitting a contribution to Apache Metron.
Please refer to our Development Guidelines for the complete guide to follow for contributions.
Please refer also to our Build Verification Guidelines for complete smoke testing guides.

In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:

For all changes:

• Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
• Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
• Has your PR been rebased against the latest commit within the target branch (typically master)?

For code changes:

• Have you included steps or a guide to how the change may be verified and tested manually?
• Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?

For documentation related changes:

• Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via site-book/target/site/index.html:

  cd site-book
  mvn site
  

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that travis-ci is set up for your personal repository such that your branches are built there before submitting a pull request.

[JonZeolla]

Testing

1. Create a working directory and pull in this PR

   mkdir ~/metron-1261
   git clone https://github.com/apache/metron ~/metron-1261/metron
   cd ~/metron-1261/metron
   git remote add jonzeolla https://github.com/jonzeolla/metron
   git pull jonzeolla METRON-1261
   

2. Modify this to remove sensors, (to spin up the real sensors).

   sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile
   

3. Spin up full-dev

   cd metron-deployment/vagrant/full-dev-platform/
   vagrant up
   

4. Set up the environment in full-dev.

   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin
   service monit stop && service sensor-stubs stop bro && broctl stop
   yum -y install jq wireshark
   

5. Configure kafka in local.bro so all of the currently supported bro logs are being sent.

   sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro
   echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro
   echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro
   echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro
   sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro
   

6. Monitor the bro kafka topic

   # Open a new terminal
   cd ~/metron-1261/metron/metron-deployment/vagrant/full-dev-platform
   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin
   kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro
   

7. Monitor the storm logs.

   # Open a new terminal
   cd ~/metron-1261/metron/metron-deployment/vagrant/full-dev-platform
   vagrant ssh
   sudo su -
   export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin
   # Look at the storm logs (The "failed to parse" errors for ip_src_addr and ip_dst_addr are expected, and should be addressed as a part of METRON-939)
   tail -f /var/log/storm/workers-artifacts/indexing-*/*/worker.log | grep -i "org.elasticsearch.index.mapper.MapperParsingException: failed to parse"
   # You may want to evaluate worker.log for other errors, but the prior command is helpful to cut through some of the failed indexing of IPv6 addresses
   

8. Run bro against some public pcaps.

   # In the first of your three terminals
   # These are kept separate so that the flat file log output won't stomp the prior ones, for ingest validation
   mkdir -p ~/brotmp/nitroba ~/brotmp/example-traffic ~/brotmp/ssh ~/brotmp/ftp ~/brotmp/radius
   wget https://www.bro.org/static/traces/exercise-traffic.pcap -O ~/brotmp/example-traffic/exercise-traffic.pcap
   wget http://downloads.digitalcorpora.org/corpora/network-packet-dumps/2008-nitroba/nitroba.pcap -O ~/brotmp/nitroba/nitroba.pcap
   wget https://www.bro.org/static/traces/ssh.pcap -O ~/brotmp/ssh/ssh.pcap
   wget https://github.com/markofu/pcaps/blob/master/PracticalPacketAnalysis/ppa-capture-files/ftp.pcap?raw=true -O ~/brotmp/ftp/ftp.pcap
   wget https://github.com/EmpowerSecurityAcademy/wireshark/blob/master/radius_localhost.pcapng?raw=true -O ~/brotmp/radius/radius_localhost.pcapng
   cd ~/brotmp/example-traffic
   bro -r exercise-traffic.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/nitroba
   bro -r nitroba.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/ssh
   bro -r ssh.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/ftp
   bro -r ftp.pcap /usr/local/bro/share/bro/site/local.bro -C
   cd ~/brotmp/radius
   editcap -F libpcap radius_localhost.pcapng radius_localhost.pcap
   bro -r radius_localhost.pcap /usr/local/bro/share/bro/site/local.bro -C
   

9. Validate that terminals 2 and 3 don't have any errors that you don't expect.
10. Verify proper indexing in ES and availability in kibana.

    # Check around and make sure things look okay
    declare -a exists notexists; for protocol in http dns conn dpd dhcp ftp ssh ssl smtp radius weird files notice software known_certs x509 known_devices; do if [[ $(curl -s -XGET "node1:9200/bro*/_search?q=protocol:${protocol}" | jq '.hits.hits') == '[]' ]]; then notexists+=" ${protocol}"; else exists+=" ${protocol}"; fi; done; if [ ${#notexists[@]} -ne 0 ]; then echo -e "\n\n\033[0mThe following do exist in ES: ${exists[@]}\n\033[0;31mThe following do NOT exist in ES: ${notexists[@]}\033[0m"; else echo 'All of the log types are in ES!  Success!'; fi; unset exists notexists
    # Check Kibana.  For example:  http://node1:5000/app/kibana#/visualize/create?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-15y,mode:quick,to:now))&_a=(filters:!(),linked:!f,query:(query_string:(analyze_wildcard:!t,query:'*')),uiState:(),vis:(aggs:!((id:'3',params:(field:protocol,orderBy:'2',size:20),schema:segment,type:terms),(id:'2',schema:metric,type:count)),type:histogram))&indexPattern=bro*&type=histogram
    # OPTIONAL testing
    # Run `/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head` and look around
    curl -XGET node1:9200/_cat/indices # First column should be all green
    curl -XGET "node1:9200/bro*/_count" # Check the count of entries in the bro index, you can re-run bro against specific PCAPs and watch this increase, etc.
    

11. Make sure the right bro version was installed.

    if [[ "$(bro -v 2>&1)" == "bro version 2.4.2" ]]; then echo "Success!"; else echo "ERROR:  Not running bro 2.4.2"; fi
    

[cestella]

As usual, I really love your test scripts. Well done, @JonZeolla !

[ottobackwards]

Maybe we should have the checkout-pr script in the metron repo?

[justinleet]

It's actually easier than this to pull in a PR, for future reference

git fetch upstream pull/805/head:METRON-1261
git checkout METRON-1261

Assuming upstream is GitHub, of course. It'll just make a branch in your local and you can check it out there.

Edit: 805 being the PR number from the top after the title

[JonZeolla]

Right @justinleet I've done that in the past as well, this is me just being lazy and not wanting to look up the PR # when drafting my instructions =)

That said, those instructions don't depend on my repo, which means it's probably the right way to do it.

[ottobackwards]

https://github.com/nickwallen/metron-commit-stuff/blob/master/checkout-pr

[JonZeolla]

This is ready for a review.

[ottobackwards]

@JonZeolla. Followed the steps, and in my monitor storm logs 'window' i have many of the following:

[root@node1 ~]# tail -f /var/log/storm/workers-artifacts/indexing-*/*/worker.log | grep -i "org.elasticsearch.index.mapper.MapperParsingException: failed to parse"
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [ip_dst_addr]
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [ip_dst_addr]
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [ip_dst_addr]

I don't know if I should expect these or not?

[ottobackwards]

never mind, I just re-read the instructions before sorry

[ottobackwards]

+1
Followed instructions and everything worked as expected.
Great work @JonZeolla!