initial commit

doc/setup_pfsense.sh

@@ -0,0 +1,101 @@
+# FreeBSD 11.1-RELEASE
+
+# Install dependencies
+pkg install -y bash git flex bison cmake libpcap librdkafka python py27-sqlite3 caf swig
+
+# Compile Bro (no install)
+# Needs compiled because build/src/bifcl is needed to compile plugins
+mkdir /usr/local/src; cd /usr/local/src/
+git clone https://github.com/bro/bro
+cd bro; ./configure && make -j2
+
+# Compile kafka plugin (no install)
+# This will generate APACHE_KAFKA.tar.gz
+cd /usr/local/src/
+git clone https://github.com/apache/metron-bro-plugin-kafka.git
+./configure --bro-dist=/usr/local/src/bro
+make
+
+# Copy APACHE_KAFKA.tgz to pfsense
+# Login into pfsense and enable FreeBSD repos (temporarily)
+sed -i '' 's/FreeBSD: { enabled: no/FreeBSD: { enabled: yes/g' /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
+sed -i '' 's/FreeBSD: { enabled: no/FreeBSD: { enabled: yes/g' /usr/local/etc/pkg/repos/FreeBSD.conf
+pkg install -y bro librdkafka
+sed -i '' 's/FreeBSD: { enabled: yes/FreeBSD: { enabled: no/g' /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
+sed -i '' 's/FreeBSD: { enabled: yes/FreeBSD: { enabled: no/g' /usr/local/etc/pkg/repos/FreeBSD.conf
+pkg update
+
+# Extract plugin and enable it
+tar xzf APACHE_KAFKA.tgz -C /usr/local/lib/bro/plugins
+cat > /usr/local/share/bro/site/local.bro <<EOF
+@load misc/loaded-scripts
+@load tuning/defaults
+@load misc/capture-loss
+@load misc/stats
+@load misc/scan
+@load frameworks/software/vulnerable
+@load frameworks/software/version-changes
+@load-sigs frameworks/signatures/detect-windows-shells
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+@load protocols/ftp/detect
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+@load protocols/ssl/validate-certs
+@load protocols/ssl/log-hostcerts-only
+@load protocols/ssh/geo-data
+@load protocols/ssh/detect-bruteforcing
+@load protocols/ssh/interesting-hostnames
+@load frameworks/files/hash-all-files
+@load frameworks/files/detect-MHR
+@load policy/protocols/conn/vlan-logging
+@load policy/protocols/conn/mac-logging
+@load policy/protocols/smb
+@load Apache/Kafka/logs-to-kafka.bro
+redef Kafka::topic_name = "TLINGEST-CLIENTNAME";
+redef Kafka::tag_json = T;
+redef Kafka::logs_to_send = set(CaptureLoss::LOG, PacketFilter::LOG, Stats::LOG, Conn::LOG, DHCP::LOG, DNS::LOG, FTP::LOG, HTTP::LOG, IRC::LOG, KRB::LOG, NTLM::LOG, RADIUS::LOG, RDP::LOG, SIP::LOG, SMB::CMD_LOG, SMB::FILES_LOG, SMB::MAPPING_LOG, SMTP::LOG, SNMP::LOG, SOCKS::LOG, SSH::LOG, SSL::LOG, Syslog::LOG, Tunnel::LOG, Files::LOG, PE::LOG, X509::LOG, Intel::LOG, Notice::LOG, Software::LOG, Weird::LOG, CaptureLoss::LOG);
+redef Kafka::kafka_conf = table(["client.id"] = "setme.client"
+    , ["compression.codec"] = "lz4"
+    , ["request.required.acks"] = "0"
+    , ["metadata.broker.list"] = "10.15.0.40:9092,10.15.0.41:9092,10.15.0.42:9092"
+);
+EOF
+
+cat > /usr/local/etc/node.cfg <<EOF
+[logger]
+type=logger
+host=localhost
+[manager]
+type=manager
+host=localhost
+[proxy-1]
+type=proxy
+host=localhost
+[worker-1]
+type=worker
+host=localhost
+interface=igb1
+EOF
+
+cat > /usr/local/etc/broctl.cfg <<EOF
+MailTo = root@localhost
+MailConnectionSummary = 0
+MinDiskSpace = 0
+MailHostUpDown = 0
+LogRotationInterval = 3600
+LogExpireInterval = 0
+StatsLogEnable = 1
+StatsLogExpireInterval = 1
+StatusCmdShowAll = 0
+CrashExpireInterval = 1
+SitePolicyScripts = local.bro
+LogDir = /usr/local/logs
+SpoolDir = /usr/local/spool
+CfgDir = /usr/local/etc
+EOF
+
+broctl check