Bro: Difference between revisions
From charlesreid1
No edit summary |
|||
| (13 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
=Initial Notes= | |||
Intrusion detection system. | Intrusion detection system. | ||
https://github.com/bro | * https://github.com/bro | ||
* https://github.com/LiamRandall/bro-training | |||
Bro training has pcaps with samples of things like malware hiding shells in HTTP traffic. For example: | |||
* This folder has some pcaps containing traffic from a yayih trojan: https://github.com/LiamRandall/bro-training/tree/master/malware-demo/mswab_yayih | |||
* Here is a page that explains what the hell the yayih trojan is: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FYayih.A | |||
Hat tip: | |||
* http://wiki.securityweekly.com/wiki/index.php/Episode336 | |||
=Installing= | |||
==Debian - from source== | |||
To install on Debian from source, check out the repo with all submodules: | |||
<pre> | |||
git clone --recursive https://github.com/bro/bro.git | |||
</pre> | |||
The INSTALL file is pretty clear with its instructions, but the summary: | |||
<pre> | |||
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev | |||
</pre> | |||
In order to build Bro on Debian 9, install libssl1.0-dev instead of libssl-dev. | |||
(Link: https://github.com/bro/bro/blob/master/doc/install/install.rst) | |||
Then the usual: | |||
<pre> | |||
./configure | |||
make | |||
sudo make install | |||
</pre> | |||
this will install to <code>/usr/local/bro</code> | |||
=Using= | |||
Before using, make sure you add <code>/usr/local/bro/bin</code> to your <code>$PATH</code>. | |||
==Allowing Non-Sudo Users to Capture Packets== | |||
To allow non-sudo users to capture packets: | |||
<pre> | |||
sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro | |||
</pre> | |||
You may also need to set permissions on the bro directory, depending on how it was installed. | |||
==Minimal Bro Configuration== | |||
The minimal starting configuration can be set by editing: | |||
<code>$PREFIX/etc/node.cf</code> to set the interface to monitor | |||
<code>$PREFIX/etc/networks.cfg</code> to specify the networks to consider local | |||
<code>$PREFIX/etc/broctl.cfg</code> to specify the email address and log rotation interval | |||
<pre> | |||
$ cat /usr/local/bro/etc/node.cfg | |||
# Example BroControl node configuration. | |||
# | |||
# This example has a standalone node ready to go except for possibly changing | |||
# the sniffing interface. | |||
# This is a complete standalone configuration. Most likely you will | |||
# only need to change the interface. | |||
[bro] | |||
type=standalone | |||
host=localhost | |||
interface=wlan0 | |||
</pre> | |||
<pre> | |||
$ cat /usr/local/bro/etc/networks.cfg | |||
# List of local networks in CIDR notation, optionally followed by a | |||
# descriptive tag. | |||
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes. | |||
#10.0.0.0/8 Private IP space | |||
10.6.0.0/16 Private IP space | |||
172.16.0.0/12 Private IP space | |||
192.168.0.0/16 Private IP space | |||
</pre> | |||
<pre> | |||
$ cat /usr/lcoal/bro/etc/broctl.cfg | |||
...snip... | |||
LogRotationInterval = 86400 | |||
...snip... | |||
</pre> | |||
==Broctl== | |||
Start the BroControl shell: | |||
<pre> | |||
$ broctl | |||
</pre> | |||
If this is the first time using the shell, run the install command to install BroControl configuration: | |||
<pre> | |||
[BroControl] > install | |||
</pre> | |||
=References= | |||
https://github.com/ | Bro documentation on github: https://github.com/bro/bro/tree/master/doc | ||
quickstart once you do make docs: file:///home/charles/codes/security/bro/build/html/quickstart/index.html | |||
=Flags= | |||
{{NetworkMonitoringFlag}} | |||
Latest revision as of 04:33, 28 January 2018
Initial Notes
Intrusion detection system.
Bro training has pcaps with samples of things like malware hiding shells in HTTP traffic. For example:
- This folder has some pcaps containing traffic from a yayih trojan: https://github.com/LiamRandall/bro-training/tree/master/malware-demo/mswab_yayih
- Here is a page that explains what the hell the yayih trojan is: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FYayih.A
Hat tip:
Installing
Debian - from source
To install on Debian from source, check out the repo with all submodules:
git clone --recursive https://github.com/bro/bro.git
The INSTALL file is pretty clear with its instructions, but the summary:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
In order to build Bro on Debian 9, install libssl1.0-dev instead of libssl-dev.
(Link: https://github.com/bro/bro/blob/master/doc/install/install.rst)
Then the usual:
./configure make sudo make install
this will install to /usr/local/bro
Using
Before using, make sure you add /usr/local/bro/bin to your $PATH.
Allowing Non-Sudo Users to Capture Packets
To allow non-sudo users to capture packets:
sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro
You may also need to set permissions on the bro directory, depending on how it was installed.
Minimal Bro Configuration
The minimal starting configuration can be set by editing:
$PREFIX/etc/node.cf to set the interface to monitor
$PREFIX/etc/networks.cfg to specify the networks to consider local
$PREFIX/etc/broctl.cfg to specify the email address and log rotation interval
$ cat /usr/local/bro/etc/node.cfg # Example BroControl node configuration. # # This example has a standalone node ready to go except for possibly changing # the sniffing interface. # This is a complete standalone configuration. Most likely you will # only need to change the interface. [bro] type=standalone host=localhost interface=wlan0
$ cat /usr/local/bro/etc/networks.cfg # List of local networks in CIDR notation, optionally followed by a # descriptive tag. # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes. #10.0.0.0/8 Private IP space 10.6.0.0/16 Private IP space 172.16.0.0/12 Private IP space 192.168.0.0/16 Private IP space
$ cat /usr/lcoal/bro/etc/broctl.cfg ...snip... LogRotationInterval = 86400 ...snip...
Broctl
Start the BroControl shell:
$ broctl
If this is the first time using the shell, run the install command to install BroControl configuration:
[BroControl] > install
References
Bro documentation on github: https://github.com/bro/bro/tree/master/doc
quickstart once you do make docs: file:///home/charles/codes/security/bro/build/html/quickstart/index.html
Flags
 |
network monitoring tools and techniques for monitoring networks to avoid pain and suffering
Network Monitoring/Ten Best Practices
Network Monitoring Tools: Bro (network baselining): Bro Snort (IDS): Snort
Category:Network Monitoring · Category:Networking · Category:Linux Flags · Template:NetworkMonitoringFlag · e |