Posted on Wednesday, 20th February 2013 by Michael
Instant Bro. Create a bro in minutes! (Bro IDS)
I am freshly back from the 2013 Shmoocon and had the privilege to attend a very interesting and informative talk by Liam Randall @Hectaman on the Bro IDS system. To download his talk follow this URL: https://github.com/LiamRandall/bro-scripts/tree/master/talks-and-training
What is Bro IDS?
“Bro is a powerful network analysis framework that is much different from the typical IDS you may know” – www.bro-ids.org
After his talk I wanted to learn more about and install it in my organization to see how it performs. I started with the documentation located here: http://www.bro-ids.org/documentation/index.html and went through the installation and quick start guide. Once you get through those two guides you are basically up and running capturing traffic and logging.
Since this took some time and I wanted to stream line the process of installing and configuring the base solution for quick deployment I wrote a simple shell script that will do the full install and base config with some end user input. Note this script was written and tested on Fedora and CentOS. To get to work on Ubuntu you will need to replace yum with apt-get and rpm with dpkg. There are a few other minor tweaks in that regards as well. If you get stuck just let me know @genxweb
The script works in the following way.
Download the script: http://www.digitaloffensive.com/files/instabro.sh
- Download it and set execute permissions.
- Make sure you are root or it will exit and not run.
- If a new version of Bro comes out edit the references to the old version in variables and install section.
- Execute the script. It will go through a variety of checks.
- Depending on the checks it will be installing the dependencies that Bro needs or upgrading them to the newest version.
- Next it will download, extract and build Bro.
- Once the build process is done it will pause for 30 seconds asking you to check for errors. Please hit ctrl + C if there are any errors, correct the errors and re-run.
- If everything was successful you will now have the opportunity to crease a base configuration for Broctl. If you want to do it yourself press ctrl + c here and exit. Otherwise wait 10 seconds and follow next prompt.
- Well since you are at step 9 you decided to have us help you do the base config.
- Choose your interface to monitor on. If you don’t see any interfaces listed then most likely you need to check your network configuration and try again. If you know your interface and it don’t show just enter it and continue.
- Next enter the network to monitor. Note the escape sequence it is telling you to use. If you don’t follow it, it will break.
- We will also add broctl to the cron for maint reasons.
- Well if you got to this step then you followed the above directions. We are now going to launch the broctl. This will allow you to install the base config and start the Bro IDS system.
Now that it is installed the fun only starts. As I said I am new to Bro IDS and have been reading through all the info I can to get the most out of it as possible. If you have a problem with my script or some other ideas you like to see added hit me up on twitter @genxweb or shoot me a message here.
Posted in Code | Comments (3)
February 20th, 2013 at 8:49 pm
Did you try our binary packages?
February 20th, 2013 at 9:56 pm
Seth,
I did read about them but I prefer to compile from source anything I am going to use in production that is open source. I don’t fully go through all the code but when looking at new tools I do use some scripts to scan through for anything that might throw a huge red flag. I know I could prob of just checked the md5 hashes as well. To be fair though I do plan to at least give them a go on my home network later this week as a possible write up for the teams at this years Mid Atlantic CCDC.
Thanks
Mike
February 24th, 2013 at 11:30 am
You can watch the talk here: http://www.youtube.com/watch?v=7DCPuHdCbpw . Thanks for the great article- Bro truly is amazing.