Bro + Python = BroThon!
The BroThon package supports the ingestion, processing, and analysis of Bro IDS data with Python.
Bro IDS already has a flexible, powerful scripting language why should I use BroThon?
Offloading: Running complex tasks (yara sigs on files, state machines, machine learning, etc..) should be offloaded from Bro IDS so that Bro can focus on the efficient processing of high volume network traffic.
Python: Pulling Bro data into Python allows us to leverage a large set of of Python modules for data analysis, statistics, machine learning and visualization.
Data Analysis: A growing set of notebooks/examples using statistics and machine learning on Bro data.
from brothon import bro_log_reader
...
# Run the bro reader on a given log file
reader = bro_log_reader.BroLogReader('dhcp.log')
for row in reader.readrows():
pprint(row)
Output: Each row is a nice Python Dictionary with timestamps and types properly converted.
{'assigned_ip': '192.168.84.10',
'id.orig_h': '192.168.84.10',
'id.orig_p': 68,
'id.resp_h': '192.168.84.1',
'id.resp_p': 67,
'lease_time': datetime.timedelta(49710, 23000),
'mac': '00:20:18:eb:ca:54',
'trans_id': 495764278,
'ts': datetime.datetime(2012, 7, 20, 3, 14, 12, 219654),
'uid': 'CJsdG95nCNF1RXuN5'}
...
- Easy ingestion of any Bro Log into Python (dynamic tailing and log rotations are handled)
- Bro Logs to Pandas Dataframes (and then dataframes to Machine Learning :)
- Dynamically monitor files.log and make VirusTotal Queries
- Dynamically monitor http.log and show 'uncommon' User Agents
- Running Yara Signatures on Extracted Files
- Checking x509 Certificates
- Simple Outlier Detection
- See BroThon Examples for more details.
BroThon enables the processing, analysis, and machine learning of realtime data coming from Bro IDS.
- Risky Domains Stats and Deployment: Risky Domains
$ pip install brothon
or
$ pip install brothon[all] # Includes additional dependencies to run all examples (yara, etc)
- The DummyEncoder is based on Tom Augspurger's great PyData Chicago 2016 Talk