bro ids install notes on ubuntu 11

-
I was recently asked to test out Bro IDS.  
First of all you need to get all the dependencies ready before
compiling bro-ids source code.

sudo apt-get install libncurses5-dev g++ bison flex libmagic-dev
libgeoip-dev libssl-dev libpcap-dev libpcap0.8-dev byacc

Next step, download stable bro release

http://www.bro-ids.org/downloads/release/bro-1.5.3.tar.gz

Assume that you put it on your desktop. Type "cd Desktop/" to go to
the desktop folder.

Unzip the tarball by using this "tar zxvf bro-1.5.3.tar.gz"
cd bro-1.5.3
./configure
make
make install-broctl

Navigate to the folder /usr/local/bro/etc/

Edit the config files

/broctl.cfg is the overall _BroControl_ configuration. Initially, you
probably only need to edit the email address for mails sent by the
framework; that's the +MailTo+ line.

/node.cfg, you need to specify the network interface Bro is to
monitor; that's the +interface+ line.

/networks.cfg, list all the networks which Bro should consider as
local to the monitored enviroment, 192.168.0.0 is already listed.

Navigate to the folder /usr/local/bro/bin/

run ./broctl install

This will install the modified configuration

Now run

crontab -e

pick nano edit option, 2 for me.  add "0-59/5 * * * *
/usr/local/bro/bin/broctl cron" to the bottom of the file and save..

to start bro run

./broctl start

you can check the /usr/local/bro/logs/ folder

Comments

Post a Comment

Popular posts from this blog

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline

-
Image
Investigating Indicators of Compromise In Your Environment With Latest Version of Redline : Recently, Mandiant ® released a new version of Redline ™ . If you are not familiar with Redline, it is a great tool for investigating a specific Windows host in depth. We will have a more thorough look into Redline in the next month or so. What I wanted to touch on today is one of Redline’s brand new features: you can now use Indicators of Compromise (IOCs) to drive your Redline investigations. If you are not familiar with IOCs, I urge to you take a moment and head over to http://OpenIOC.org and have a look around. IOCs are the best way for finding indications of compromise and/or intrusion throughout your enterprise. IOCs are one of the main technologies that power Mandiant Intelligent Response, Mandiant’s flagship IR appliance, and have previously been accessible in free products with IOC Editor & IOC Finder . Some blog entries that might help bring you up to speed are Ryan Kazanciya...
Read more

Painting a Picture of W32.Flamer

-
Image
Painting a Picture of W32.Flamer : The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality. To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx . This is W32.Flamer's main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how they are stored in this file are shown in Figure 1 below: Figure 1. Overview of W...
Read more

Flame: Bunny, Frog, Munch and BeetleJuice…

-
Image
Flame: Bunny, Frog, Munch and BeetleJuice… : As already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great that it will take several months for a complete analysis. We’re planning on continually disclosing in our publications the most important and interesting details of its functionality as we reveal them.At the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the simplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect and delete all possible modifications of the main module and extra components of Flame.However, for those who want to carry out a detailed check themselves, at the end of this article we will give the necessary recommendations and advice. MSSECMGR.OCX The main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this module. Most of the infected machines contained its “big” ver...
Read more