bro ids install notes on ubuntu 11

-
I was recently asked to test out Bro IDS.  
First of all you need to get all the dependencies ready before
compiling bro-ids source code.

sudo apt-get install libncurses5-dev g++ bison flex libmagic-dev
libgeoip-dev libssl-dev libpcap-dev libpcap0.8-dev byacc

Next step, download stable bro release

http://www.bro-ids.org/downloads/release/bro-1.5.3.tar.gz

Assume that you put it on your desktop. Type "cd Desktop/" to go to
the desktop folder.

Unzip the tarball by using this "tar zxvf bro-1.5.3.tar.gz"
cd bro-1.5.3
./configure
make
make install-broctl

Navigate to the folder /usr/local/bro/etc/

Edit the config files

/broctl.cfg is the overall _BroControl_ configuration. Initially, you
probably only need to edit the email address for mails sent by the
framework; that's the +MailTo+ line.

/node.cfg, you need to specify the network interface Bro is to
monitor; that's the +interface+ line.

/networks.cfg, list all the networks which Bro should consider as
local to the monitored enviroment, 192.168.0.0 is already listed.

Navigate to the folder /usr/local/bro/bin/

run ./broctl install

This will install the modified configuration

Now run

crontab -e

pick nano edit option, 2 for me.  add "0-59/5 * * * *
/usr/local/bro/bin/broctl cron" to the bottom of the file and save..

to start bro run

./broctl start

you can check the /usr/local/bro/logs/ folder

Comments

Post a Comment

Popular posts from this blog

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline

-
Image
Investigating Indicators of Compromise In Your Environment With Latest Version of Redline : Recently, Mandiant ® released a new version of Redline ™ . If you are not familiar with Redline, it is a great tool for investigating a specific Windows host in depth. We will have a more thorough look into Redline in the next month or so. What I wanted to touch on today is one of Redline’s brand new features: you can now use Indicators of Compromise (IOCs) to drive your Redline investigations. If you are not familiar with IOCs, I urge to you take a moment and head over to http://OpenIOC.org and have a look around. IOCs are the best way for finding indications of compromise and/or intrusion throughout your enterprise. IOCs are one of the main technologies that power Mandiant Intelligent Response, Mandiant’s flagship IR appliance, and have previously been accessible in free products with IOC Editor & IOC Finder . Some blog entries that might help bring you up to speed are Ryan Kazanciya...
Read more

Both Mac and Windows are Targeted at Once

-
Image
Both Mac and Windows are Targeted at Once : Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers. On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration: When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type ...
Read more

PDF Malware Protected by AES-256

-
Image
PDF Malware Protected by AES-256 : Adobe Systems released a security update for Adobe Acrobat and Reader 9.x for Windows on December 16, 2011, in order to fix a zero-day vulnerability. As Vikram Thakur reported recently , there have been zero-day attacks using this PDF vulnerability, dropping Backdoor.Sykipot on to the compromised computer. We have found another variant of PDF malware in the wild using the same vulnerability. This version of PDF malware uses an encryption method that is found natively in the PDF specifications. As I wrote in my Portable Document Format Malware whitepaper , the encryption method used by PDF malware has changed from RC4 to AES. The AES specifies the encryption key has 128 bits in length. However, this variant adopts AES-256 as the encryption method, with a key length of 256 bits. The specification for the encryption method using AES-256 in a PDF is described as an extension of the ISO32000 version of PDF specification. It is able to download the PDF ex...
Read more