Revision as of 04:24, 28 January 2018

Initial Notes

Intrusion detection system.

Bro training has pcaps with samples of things like malware hiding shells in HTTP traffic. For example:

Hat tip:

To install on Debian from source, check out the repo with all submodules:

git clone --recursive https://github.com/bro/bro.git

The INSTALL file is pretty clear with its instructions, but the summary:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

In order to build Bro on Debian 9, install libssl1.0-dev instead of libssl-dev.

Then the usual:

./configure
make 
sudo make install

this will install to /usr/local/bro

Before using, make sure you add /usr/local/bro/bin to your $PATH.

To allow non-sudo users to capture packets:

sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro

Start the BroControl shell:

$ broctl

If this is the first time using the shell, run the install command to install BroControl configuration:

[BroControl] > install

quickstart once you do make docs: file:///home/charles/codes/security/bro/build/html/quickstart/index.html

@@ Line 47: / Line 47: @@
 Before using, make sure you add <code>/usr/local/bro/bin</code> to your <code>$PATH</code>.
+==Allowing Non-Sudo Users to Capture Packets==
+To allow non-sudo users to capture packets:
+<pre>
+sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro
+</pre>
 ==Broctl==