Initial Notes

Intrusion detection system.

• https://github.com/bro

• https://github.com/LiamRandall/bro-training

Bro training has pcaps with samples of things like malware hiding shells in HTTP traffic. For example:

• This folder has some pcaps containing traffic from a yayih trojan: https://github.com/LiamRandall/bro-training/tree/master/malware-demo/mswab_yayih
• Here is a page that explains what the hell the yayih trojan is: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FYayih.A

Hat tip:

• http://wiki.securityweekly.com/wiki/index.php/Episode336

Installing

Debian - from source

To install on Debian from source, check out the repo with all submodules:

git clone --recursive https://github.com/bro/bro.git

The INSTALL file is pretty clear with its instructions, but the summary:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

In order to build Bro on Debian 9, install libssl1.0-dev instead of libssl-dev.

(Link: https://github.com/bro/bro/blob/master/doc/install/install.rst)

Then the usual:

./configure
make 
sudo make install

this will install to /usr/local/bro

Using

Before using, make sure you add /usr/local/bro/bin to your $PATH.

Allowing Non-Sudo Users to Capture Packets

To allow non-sudo users to capture packets:

sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro

You may also need to set permissions on the bro directory, depending on how it was installed.

Minimal Bro Configuration

The minimal starting configuration can be set by editing:

$PREFIX/etc/node.cf to set the interface to monitor

$PREFIX/etc/networks.cfg to specify the networks to consider local

$PREFIX/etc/broctl.cfg to specify the email address and log rotation interval

$ cat /usr/local/bro/etc/node.cfg 
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=wlan0

$ cat /usr/local/bro/etc/networks.cfg 
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

#10.0.0.0/8          Private IP space
10.6.0.0/16         Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/16      Private IP space

$ cat /usr/lcoal/bro/etc/broctl.cfg

...snip...

LogRotationInterval = 86400

...snip...

Broctl

Start the BroControl shell:

$ broctl

If this is the first time using the shell, run the install command to install BroControl configuration:

[BroControl] > install

References

Bro documentation on github: https://github.com/bro/bro/tree/master/doc

quickstart once you do make docs: file:///home/charles/codes/security/bro/build/html/quickstart/index.html

Flags

network monitoring tools and techniques for monitoring networks to avoid pain and suffering Network Monitoring Network Monitoring/Ten Best Practices Network Monitoring Tools: Ping  · SNMP  · ICMP  · Syslog Bro (network baselining): Bro Snort (IDS): Snort Category:Network Monitoring  · Category:Networking  · Category:Linux Flags  · Template:NetworkMonitoringFlag  · e