$ wget https://github.com/blacktop/docker-bro/raw/master/pcap/heartbleed.pcap
$ docker run -d --name elasticsearch -p 9200:9200 blacktop/elasticsearch:5.6
$ docker run -d --name kibana --link elasticsearch -p 5601:5601 blacktop/kibana:5.6
$ docker run -it --rm -v `pwd`:/pcap --link elasticsearch \
blacktop/bro:elastic -r heartbleed.pcap local "Site::local_nets += { 192.168.11.0/24 }"
# assuming you are using Docker For Mac.
$ open http://localhost:5601/app/kibana
⚠️ NOTE: I have noticed when running elasticsearch on a linux host you need to increase the memory map areas with the following command
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -w vm.max_map_count=262144Click the Discover tab and filter to _type:notice
Shortcut: https://goo.gl/e5v7Qr
=OR=
You can use docker-compose
$ git clone --depth 1 https://github.com/blacktop/docker-bro.git
$ docker-compose -f docker-compose.elastic.yml up -d kibana
$ docker-compose -f docker-compose.elastic.yml up bro
$ open https://goo.gl/e5v7Qr$ docker run -d --name elasticsearch -p 80:80 -p 9200:9200 blacktop/elastic-stack:5.6
$ docker run -it --rm -v `pwd`:/pcap --link elasticsearch blacktop/bro:elastic bro-watch
# assuming you are using Docker For Mac.
$ open http://localhost/app/kibana
# download pcap into the watched folder on your host.
$ wget https://github.com/blacktop/docker-bro/raw/master/pcap/heartbleed.pcap