Basic Anomaly IDS capabilities with Python and Bro
Awesome quality video of me doing a terrible job talking about Bropy... https://www.youtube.com/watch?v=hz2eAWV54i0
CHANGELOG
-Bropy can now generate a list for each host it detects (usefull for handing out to sysadmins to Q/C entries)
-Bropy can now parse conn.logs directly to generate a list of all services. Check out the "advanced" option
-Now using bropy.cfg to set directory parameters. (Default setting is for SecurityOnion, if you did a custom install, you'll need to edit bropy/etc/bropy.cfg)
-Now using modules to do log processing and rule generatin.o (modules/bropy_logs.py,modules/bropy_rules.py)
-Rules are now sorted by IP Destination (Kinda, 21 comes after 100)
-"Auto baseline" is now in the advanced menu... Don't do it.
TODO
-Move more stuff to modules to make bropy.py cleaner
-Allow for custom subnets when generating rules (may need to import another module for subnet testing)
-Allow for comments at Y/N time (i.e. "MYSQL port for dbsvr")
-Generate lists using NETFLOW data (this is gonna take some work)
- IPv6 to make my Troopers friends happy! (Ok, well, me too, IPv6 support would be awesome)