Initial Notes

Intrusion detection system.

Bro training has pcaps with samples of things like malware hiding shells in HTTP traffic. For example:

Hat tip:

Installing

To install on Debian from source, check out the repo with all submodules:

git clone --recursive https://github.com/bro/bro.git

The INSTALL file is pretty clear with its instructions, but the summary:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

In order to build Bro on Debian 9, install libssl1.0-dev instead of libssl-dev.

Then the usual:

./configure
make 
sudo make install

this will install to /usr/local/bro

Before using, make sure you add /usr/local/bro/bin to your $PATH.

To allow non-sudo users to capture packets:

sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro

You may also need to set permissions on the bro directory, depending on how it was installed.

The minimal starting configuration can be set by editing:

$PREFIX/etc/node.cf to set the interface to monitor

$PREFIX/etc/networks.cfg to specify the networks to consider local

$PREFIX/etc/broctl.cf to specify the email address and log rotation interval

Start the BroControl shell:

$ broctl

If this is the first time using the shell, run the install command to install BroControl configuration:

[BroControl] > install

quickstart once you do make docs: file:///home/charles/codes/security/bro/build/html/quickstart/index.html