Chinese Yellow Pages | Classifieds | Knowledge | Tax | IME

Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that’s the Policy Script Interpreter. This policy engine has it’s own language ( Bro-Script ) and it can do some very powerful and versatile tasks.

Installation

echo ‘deb http://download.opensuse.org/repositories/network:/bro/Debian_8.0/ /’ >> /etc/apt/sources.list.d/bro.list

wget –quiet -O – http://download.opensuse.org/repositories/network:bro/Debian_8.0/Release.key
| apt-key add –

apt-get update
apt-get install bro

config and run

cd /opt/bro;

change  etc/node.cfg ( update to your monitoring NIC interface)

bin/broctl

type start

it will generate some logs files under /opt/bro/logs ( may need to stop to force flush the log)

Sample Results:

zcat 2016-05-16/weird.11:05:51-11:09:28.log.gz
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field –
#path weird
#open 2016-05-16-11-05-51
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1463411151.693423 CupmIg2gzB8ED3oBw7 192.168.1.201 57920 52.0.30.212 443 bad_TCP_checksum-F bro
1463411156.329354 CQSTmd4CSCV5Eyo7Qf 192.168.1.106 5555 192.168.1.105 44240 bad_TCP_checksum-F bro
1463411159.593437 C6NccT3FY2AJ5M8bVb 192.168.1.201 60299 192.168.1.1 53 bad_UDP_checksum-F bro
1463411159.632785 C6NccT3FY2AJ5M8bVb 192.168.1.201 60299 192.168.1.1 53 dns_unmatched_reply – F bro
1463411159.669412 C1G1j51ikJNpI60tY1 192.168.1.201 40219 192.168.1.1 53 dns_unmatched_reply – F bro
1463411159.693446 Cdgva33A5K4z34LVil 192.168.1.201 36313 192.168.1.1 53 dns_unmatched_reply – F bro
1463411159.713431 CwWQFl1ohbKfAQ7mQ5 192.168.1.201 34110 192.168.1.1 53 dns_unmatched_reply – F bro

 

References

https://www.bro.org/sphinx/quickstart/index.html

https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview

https://www.aldeid.com/wiki/Suricata-vs-snort

Leave a Reply

Your email address will not be published. Required fields are marked *