I am using snort IDS for a long time and it generates a lot of useful alerts for malicious activities on my PC. Further, I have heard good things about BRO IDS and wanted to give a try. Bro offers a network analysis framework that is different from the typical
IDS like snort.
Here are the steps for installation on CentOS 6.5 or higher linux machines:
1) # Install runtime dependencies.
# yum -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs
2) # Install the build dependencies.
# yum -y install libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig
You may also require these libraries and so, install them in advance especially if you are compiling Bro from source tar.gz:
#yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel #yum -y python-devel swig zlib-devel
# yum install jemalloc
# yum install jemalloc-devel
# yum install curl
# yum install libcurl-devel
# yum install GeoIP
# yum install GeoIP-devel
# yum install gperftools
# yum install ruby
3) Install EPEL repository on the machine.
Of course, if you wish, you can compile the Bro IDS from the source!!
By default, all Bro IDS related files are installed in /opt/bro.
5) Modify default path:
# export path /opt/bro/bin:$PATH
You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.
6) For basic configuration steps, please follow the documentation on the project page:
Using your favorite editor, please modify the following 3 files:
$ PREFIX refers to the base of bro installation directory
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
10.0.0.0/8 Private IP space
192.168.0.0/16 Private IP space
The broctl.cfg file is where in recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features can be configured.
When you run bro for the first time, a warning may be reported. Please ignore.
# broctl
warning: cannot read '/var/bro/spool/broctl.dat' (this is ok on first run)
Welcome to BroControl 1.2
Type "help" for help.
[BroControl] >
# broctl
warning: cannot read '/var/bro/spool/broctl.dat' (this is ok on first run)
Welcome to BroControl 1.2
Type "help" for help.
[BroControl] >
[root@ids bro]# broctl
Welcome to BroControl 1.3
Type "help" for help.
[BroControl] > help
BroControl Version 1.3
capstats [<nodes>] [<secs>] - Report interface statistics with capstats
check [<nodes>] - Check configuration before installing it
cleanup [--all] [<nodes>] - Delete working dirs (flush state) on nodes
config - Print broctl configuration
cron [--no-watch] - Perform jobs intended to run from cron
cron enable|disable|? - Enable/disable "cron" jobs
df [<nodes>] - Print nodes' current disk usage
diag [<nodes>] - Output diagnostics for nodes
exec <shell cmd> - Execute shell command on all hosts
exit - Exit shell
install - Update broctl installation/configuration
netstats [<nodes>] - Print nodes' current packet counters
nodes - Print node configuration
peerstatus [<nodes>] - Print status of nodes' remote connections
print <id> [<nodes>] - Print values of script variable at nodes
process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
quit - Exit shell
restart [--clean] [<nodes>] - Stop and then restart processing
scripts [-c] [<nodes>] - List the Bro scripts the nodes will load
start [<nodes>] - Start processing
status [<nodes>] - Summarize node status
stop [<nodes>] - Stop processing
top [<nodes>] - Show Bro processes ala top
update [<nodes>] - Update configuration of nodes on the fly
Commands provided by plugins:
ps.bro [<nodes>] - Show Bro processes on nodes' systems
[BroControl] > cron enable
cron enabled
[BroControl] > install
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] >
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost stopped
[BroControl] > start
starting bro ...
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost running 32206 0 04 Mar 12:21:47
[BroControl] >
That's all!! Check the docs for more information.
Here are the steps for installation on CentOS 6.5 or higher linux machines:
1) # Install runtime dependencies.
# yum -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs
2) # Install the build dependencies.
# yum -y install libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig
You may also require these libraries and so, install them in advance especially if you are compiling Bro from source tar.gz:
#yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel #yum -y python-devel swig zlib-devel
# yum install jemalloc
# yum install jemalloc-devel
# yum install curl
# yum install libcurl-devel
# yum install GeoIP
# yum install GeoIP-devel
# yum install gperftools
# yum install ruby
3) Install EPEL repository on the machine.
- EPEL 7: x86_64, ppc64, sources
- EPEL 6: i386, x86_64, ppc64, sources
- EPEL 5: i386, x86_64, ppc, sources
Of course, if you wish, you can compile the Bro IDS from the source!!
By default, all Bro IDS related files are installed in /opt/bro.
5) Modify default path:
# export path /opt/bro/bin:$PATH
You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.
6) For basic configuration steps, please follow the documentation on the project page:
Using your favorite editor, please modify the following 3 files:
$ PREFIX refers to the base of bro installation directory
- $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
[admin@ids]$ cd /opt/bro
[admin@ids bro]$ cat etc/node.cfg
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0
- $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
10.0.0.0/8 Private IP space
192.168.0.0/16 Private IP space
- $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
When you run bro for the first time, a warning may be reported. Please ignore.
# broctl
warning: cannot read '/var/bro/spool/broctl.dat' (this is ok on first run)
Welcome to BroControl 1.2
Type "help" for help.
[BroControl] >
# broctl
warning: cannot read '/var/bro/spool/broctl.dat' (this is ok on first run)
Welcome to BroControl 1.2
Type "help" for help.
[BroControl] >
[root@ids bro]# broctl
Welcome to BroControl 1.3
Type "help" for help.
[BroControl] > help
BroControl Version 1.3
capstats [<nodes>] [<secs>] - Report interface statistics with capstats
check [<nodes>] - Check configuration before installing it
cleanup [--all] [<nodes>] - Delete working dirs (flush state) on nodes
config - Print broctl configuration
cron [--no-watch] - Perform jobs intended to run from cron
cron enable|disable|? - Enable/disable "cron" jobs
df [<nodes>] - Print nodes' current disk usage
diag [<nodes>] - Output diagnostics for nodes
exec <shell cmd> - Execute shell command on all hosts
exit - Exit shell
install - Update broctl installation/configuration
netstats [<nodes>] - Print nodes' current packet counters
nodes - Print node configuration
peerstatus [<nodes>] - Print status of nodes' remote connections
print <id> [<nodes>] - Print values of script variable at nodes
process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
quit - Exit shell
restart [--clean] [<nodes>] - Stop and then restart processing
scripts [-c] [<nodes>] - List the Bro scripts the nodes will load
start [<nodes>] - Start processing
status [<nodes>] - Summarize node status
stop [<nodes>] - Stop processing
top [<nodes>] - Show Bro processes ala top
update [<nodes>] - Update configuration of nodes on the fly
Commands provided by plugins:
ps.bro [<nodes>] - Show Bro processes on nodes' systems
[BroControl] > cron enable
cron enabled
[BroControl] > install
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] >
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost stopped
[BroControl] > start
starting bro ...
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost running 32206 0 04 Mar 12:21:47
[BroControl] >
That's all!! Check the docs for more information.
No comments:
Post a Comment