What Will I Learn?
In This Tutorial, We will learn the BRO Network Security Monitor Tool . First of All , We wanted to know What is BRO .
BRO : BRO is an Intrusion Detection System. It is a Powerful network analysis framework . It is Adaptable, Efficient, Flexible, Open Interfaces.It is compared to a Network Intrusion detection System(NIDS). It can be used for Collecting network measurements, conducting forensic investigations, traffic baselining and helping with trouble shooting .It provides Users with a domain specific , Turing complete Scripting language for expressing analysis task. BRO Network Security Monitoring Tool has developed by C++ language.
- In this Tutorial, We will learn the BRO Intrusion Detection System ( IDS )
- Also Learn the BRO IDS Command .
Requirements
There are some requirements for this tutorial , that's are given below :
- Kali Linux Operating System and Python 2.6 or greater (for BroControl)
- Libpcap (http://www.tcpdump.org) and OpenSSL libraries ( http://www.openssl.org )
- BIND8 library , Bash (for BroControl)
Difficulty
There is no difficulty in this tutorial. It is easy to learn .
- Basic
Tutorial Contents
In this Tutorial , We are discussing about the BRO Network Security Monitoring Tool. BRO has some features. Let's discuss about that features in given below :
Deployment :
(i) Runs on commodity hardware on standard UNIX-style systems (including Linux, FreeBSD, and Mac OS).
(ii) Real-time and offline analysis.
(iii) Cluster-support for large-scale deployments.
(iv) Open-source under a BSD license.
Analysis :
(i) Comprehensive logging of activity for offline analysis and forensics.
(ii) Support for many application-layer protocols (including DNS, FTP, HTTP, IRC, SMTP, SSH, SSL).
(iii) Comprehensive IPv6 support.
Scripting Language :
(i) Turing-complete language for expression arbitrary analysis tasks.
(ii) Event-based programming model.
(iii) Domain-specific data types such as IP addresses (transparently handling both IPv4 and IPv6), port numbers, and timers.
Interfacing :
(i) Real-time integration of external input into analyses. Live database input in preparation.
(ii) Ability to trigger external processes from within the scripting language.
Reference Link : https://www.bro.org/index.html
BRO Download Link : https://www.bro.org/download/index.html
Let's see the BRO network security monitoring tool Command :
BRO Network security monitoring Tool download from Source with Kali Linux Command :
git clone --recursive git://git.bro.org/bro
Here , We will see the Configuration and Installation Process Command :
./configure
make
make install
There are some requirements for Installation dependencies-
DEB/Debian-based Linux:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
Configure the run time Environment : Let's see a command for configuring the run time environment-
export PATH=/usr/local/bro/bin:$PATH
Now, We will discuss the BRO Control Command :
We can write the BRO Control command like -
broctl
Let's see the BRO Control Intallatin Configuration Command :
[BroControl] > install
Start Up a BRO -
[BroControl] > start
We can want to leave the running script in that given commands -
[BroControl] > stop
We can also check the Traffic Analysis with BRO -
$ bro ār sample1.pcap local
Custom Scripts Of BRO : Let's see a Custom Scripts of BRO command in Kali Linux-
/opt/bro/share/bro/site/local.bro
Also You can add Custom Scripts and referencing the custom scripts that's are given :
/opt/bro/share/bro/policy/
If We want , We can create a new directory under the new Custom Scripts BRO Policy-
sudo mkdir /opt/bro/share/bro/policy/custom-scripts
Add Your Custom Scripts to the directory -
__load__.bro
then See the Modify Scripts in the directory -
@load ./script1.bro
@load ./script2.bro
We can easily restart the BRO with given command:
sudo nsm_sensor_ps-restart --only-bro
Monitoring Live Traffic : In this tutorial , we also see the Live traffic of the network monitoring traffic along with the given commands :
bro -i en0 <list of scripts to load>
packet Capture Files : we can see the capture files from an interface and we can write a file like this -
sudo tcpdump -i en0 -s 0 -w mypackets.trace
After Capturing the traffic, We can write this command -
bro -r mypackets.trace
Local Sit Customization : To Use this Site Specific we can easily use local.bro . Let's see the command -
bro -i en0 local
Running BRO WithOut Installing : Here , We discuss about the BRO IDS Running WithOut Installing . Sometimes we see the developer running the BRO from the directory-
./configure
make
source build/bro-path-dev.sh
bro <options>
Posted on Utopian.io - Rewarding Open Source Contributors