BAT: Bro Analysis Tools
Project description
Bro + Python = BroThon!
The BroThon package supports the ingestion, processing, and analysis of Bro IDS data with Python.
Why BroThon?
Bro IDS already has a flexible, powerful scripting language why should I use BroThon?
Offloading: Running complex tasks (yara sigs on files, state machines, machine learning, etc..) should be offloaded from Bro IDS so that Bro can focus on the efficient processing of high volume network traffic.
Python: Pulling Bro data into Python allows us to leverage a large set of of Python modules for data analysis, statistics, machine learning and visualization.
Data Analysis: A growing set of notebooks/examples using statistics and machine learning on Bro data.
Easy to Use
from brothon import bro_log_reader
...
# Run the bro reader on a given log file
reader = bro_log_reader.BroLogReader('dhcp.log')
for row in reader.readrows():
pprint(row)
Output: Each row is a nice Python Dictionary with timestamps and types properly converted.
{'assigned_ip': '192.168.84.10', 'id.orig_h': '192.168.84.10', 'id.orig_p': 68, 'id.resp_h': '192.168.84.1', 'id.resp_p': 67, 'lease_time': datetime.timedelta(49710, 23000), 'mac': '00:20:18:eb:ca:54', 'trans_id': 495764278, 'ts': datetime.datetime(2012, 7, 20, 3, 14, 12, 219654), 'uid': 'CJsdG95nCNF1RXuN5'} ...
More Examples
Easy ingestion of any Bro Log into Python (dynamic tailing and log rotations are handled)
Bro Logs to Pandas Dataframes and Scikit-Learn
Dynamically monitor files.log and make VirusTotal Queries
Dynamically monitor http.log and show ‘uncommon’ User Agents
Running Yara Signatures on Extracted Files
Checking x509 Certificates
Anomaly Detection
See BroThon Examples for more details.
Analysis Notebooks
BroThon enables the processing, analysis, and machine learning of realtime data coming from Bro IDS.
Risky Domains Stats and Deployment: Risky Domains
Bro to Scikit-Learn: Bro to Scikit
Bro to Spark: Bro to Spark
Anomaly Detection Exploration: Anomaly Detection
Install
$ pip install brothon or $ pip install brothon[all] # Includes additional dependencies to run all examples (yara, etc)
Documentation
Thanks
The DummyEncoder is based on Tom Augspurger’s great PyData Chicago 2016 Talk
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.