Chinese Yellow Pages | Classifieds | Knowledge | Tax | IME

Comrite blogs

software consultant, deep learning, machine learning, docker, voip, asterisk, kamailio, linux, network

Networking Security

What is bro and how to install bro on debian 8

ByMin Wang

May 16, 2016

Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that’s the Policy Script Interpreter. This policy engine has it’s own language ( Bro-Script ) and it can do some very powerful and versatile tasks.

Installation

echo ‘deb http://download.opensuse.org/repositories/network:/bro/Debian_8.0/ /’ >> /etc/apt/sources.list.d/bro.list

wget –quiet -O – http://download.opensuse.org/repositories/network:bro/Debian_8.0/Release.key
| apt-key add –

apt-get update
apt-get install bro

config and run

cd /opt/bro;

change  etc/node.cfg ( update to your monitoring NIC interface)

bin/broctl

type start

it will generate some logs files under /opt/bro/logs ( may need to stop to force flush the log)

Sample Results:

zcat 2016-05-16/weird.11:05:51-11:09:28.log.gz
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field –
#path weird
#open 2016-05-16-11-05-51
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1463411151.693423 CupmIg2gzB8ED3oBw7 192.168.1.201 57920 52.0.30.212 443 bad_TCP_checksum-F bro
1463411156.329354 CQSTmd4CSCV5Eyo7Qf 192.168.1.106 5555 192.168.1.105 44240 bad_TCP_checksum-F bro
1463411159.593437 C6NccT3FY2AJ5M8bVb 192.168.1.201 60299 192.168.1.1 53 bad_UDP_checksum-F bro
1463411159.632785 C6NccT3FY2AJ5M8bVb 192.168.1.201 60299 192.168.1.1 53 dns_unmatched_reply – F bro
1463411159.669412 C1G1j51ikJNpI60tY1 192.168.1.201 40219 192.168.1.1 53 dns_unmatched_reply – F bro
1463411159.693446 Cdgva33A5K4z34LVil 192.168.1.201 36313 192.168.1.1 53 dns_unmatched_reply – F bro
1463411159.713431 CwWQFl1ohbKfAQ7mQ5 192.168.1.201 34110 192.168.1.1 53 dns_unmatched_reply – F bro

 

References

https://www.bro.org/sphinx/quickstart/index.html

https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview

https://www.aldeid.com/wiki/Suricata-vs-snort

By Min Wang

Related Post

Linux Networking software programming

video streaming HLS, DASH

Apr 10, 2024 Min Wang
Networking

understand CAP theorem

Jan 8, 2022 Min Wang
Networking software programming

Raft consensus algorithm on distributed system

Jan 8, 2022 Min Wang

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

Linux Networking software programming

video streaming HLS, DASH

Apr 10, 2024 Min Wang 0 Comments
software programming

c++ share_ptr pass by value or reference

Apr 10, 2024 Min Wang 0 Comments
Linux

postfix transport_maps ( routing based on destination domain )

Apr 7, 2024 Min Wang 0 Comments
AI/Machine Learning

Build your own GPU

Mar 28, 2024 Min Wang 0 Comments
If you like our blog, donations are welcome.

Big Data Handbook - Deep Learning with Keras from Scratch - Pytorch Deep Learning by Example (3rd Edition)
Docker for dummies in real world - Kubernetes Quick Start
comrite search
Suggestions - Advertising Programs - Business Solutions - Terms of Servie - About Comrite.com

©2005 Comrite