Updated 16 Feb 2016.
In this post, I have listed the steps necessary to configure a single Bro node leveraging the Brotop Web GUI for easier log parsing and reading.
Install dependencies:
$ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig libgoogle-perftools-dev
Install Bro:
$ sudo mkdir -p /nsm/bro
$ cd ~
$ wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz
$ tar -xvzf bro-2.4.1.tar.gz
$ cd bro-2.4.1/
$ ./configure --prefix=/nsm/bro
$ make
$ sudo make install
$ export PATH=/nsm/bro/bin:$PATH
Install Geo-IP Databases:
$ cd ~
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz
$ sudo cp GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
$ gunzip GeoLiteCityv6.dat.gz
$ sudo cp GeoLiteCityv6.dat /usr/share/GeoIP/
Modify configuration files: $ sudo vim /nsm/bro/etc/node.cfg
-----
Ensure that "interface=eth0" is the network interface you are using; otherwise, modify this line.
-----
$ sudo vim /nsm/bro/etc/networks.cfg
-----
Add appropriate RFC1918 address space and Microsoft APIPA in CIDR format
-----
$ sudo vim /nsm/bro/etc/broctl.cfg
-----
Change the MailTo address and the logging config, if desired.
-----
$ sudo /nsm/bro/bin/broctl
[BroControl]> install
[BroControl]> exit
Auto-start Broctl
$ sudo vim /etc/rc.local
-----
Add the following line "/nsm/bro/bin/broctl start"
-----
Monitoring Bro node:
$ sudo /nsm/bro/bin/broctl
[BroControl]> status
[BroControl]> ps.bro
[BroControl]> top
Restart host: $ sudo shutdown -r now
Setup & Run Brotop Web GUI:
$ cd ~
$ mkdir brotop/
$ cd brotop/
$ wget https://github.com/criticalstack/brotop/releases/download/v0.3.0/brotop-linux-amd64.tar.gz
$ tar -zxvf brotop-linux-amd64.tar.gz
$ cd pkg/linux-amd64/
$ hostname -I #192.168.1.225
$ ./brotop --path=/nsm/bro/logs/current/
Browse to http://192.168.1.225:8080/
Numbers of Connections by Protocol:
$ /nsm/bro/bin/bro-cut service < conn.log | sort | uniq -c | sort -n
Top 10 Destination Ports:
$ /nsm/bro/bin/bro-cut id.resp_p < conn.log | sort | uniq -c | sort -rn | head -n 10
Top 10 User-Agents:
$ /nsm/bro/bin/bro-cut user_agent < http.log | sort | uniq -c | sort -rn | head -n 10
Replace "user_agent" with "mime_type" to view HTTP file types
Visited Websites:
$ /nsm/bro/bin/bro-cut host < http.log | sort | uniq -c | sort -rn
Bro maintains a cheat sheet at https://github.com/bro/cheat-sheet/raw/master/bro-cheat-sheet.pdf
Bro Exercises: https://www.google.com/search?https://www.google.com/search?btnG=1&pws=0&q=site...challenge+%7C%7C+exercise&gws_rd=ssl#pws=0&q=site:*.bro.org+challenge+%7C%7C+exercisesite:*.bro.org+challenge+%7C%7C+exercise
References:
https://www.bro.org/download/
http://dev.maxmind.com/geoip/legacy/geolite/
http://knowm.org/how-to-install-bro-network-security-monitor-on-ubuntu/
https://github.com/kingtuna/Hybrid-Darknet-Concept
https://github.com/criticalstack/brotop
https://www.bro.org/bro-workshop-2011/solutions/logs/
No comments:
Post a Comment