Thursday, June 08, 2006

Bro-IDS - The learning process

Since I want to have more tools to provide valuable alert data for clues when accessing network traffic, I have installed bro-ids on my FreeBSD workstation. It is installed fine on FreeBSD, however when I try to run bro against pcap file, I get an error where bro.init not found, bro.init file is in policy directory and running bro in that directory works, so that must be path issue and it can actually be resolved easily by adding the following lines to your .bash_profile if you are using bash shell.

BROHOME=/usr/local/stow/bro-1.1
BROPATH=/usr/local/stow/bro-1.1/policy:/usr/local/stow/bro-1.1/site

export BROHOME BROPATH

That's it and now bro runs perfectly fine.

$BROHOME is your default Bro home directory and for your local config tweaking, you need to check for site directory under $BROHOME. Bro disables it's signatures detection capability by default, to turn it on, you just need to load the line below to the file - local.site.bro or one with your host.domain.bro,

@load brolite-sigs

Then restart Bro with the command /usr/local/etc/bro.rc checkpoint. In snort, those protocol decoders are defined as preprocessor, however in bro, it is called analyzer. Those analyzers are mainly the policy scripts that under $BROHOME/policy. You can write your own analyzer if you need one, that's pretty similar where you can write your own preprocessor for snort, especially version 2.6 now that you no longer need to patch snort to get unofficial/external preprocessors. You have dynamic preprocessor loading capability in snort 2.6!

I try to correlate the similarities of bro and snort so that I can take bro easily in my learning process, though Bro is developed for research purpose, it can be very powerful when comes to provide alert data. And those documentation and manual are comes with the source tarball when you downloaded Bro, so I read through the documentation and there are few chapters that pretty interesting such as Bulk Traces & Off-Line Analysis. Those mentioning how to analyse pcap file and using Bro to extract the packet payloads. I still feel adventureous with trying more stuffs with Bro and maybe getting a sensor running Bro to see how it goes.

That's all for Bro now, peace :]

No comments: