I have been out of posting due to some serious matters, anyway I think I should be writing some stuffs to keep me going. First of all, I'm pretty satisfied and happy that I have reached 200 blog posts where I never think of writing so much. Thanks for the comments and feedbacks along.
Few things I want to blog about are I will no longer be supporter of IBM ThinkPad after Lenovo bought over it's brand name, the bad design and idea that put the Thinkpad to the dead, what can I say, Lnv you sux big time - check the link below.
Few things I want to blog about are I will no longer be supporter of IBM ThinkPad after Lenovo bought over it's brand name, the bad design and idea that put the Thinkpad to the dead, what can I say, Lnv you sux big time - check the link below.
http://hardware.slashdot.org/article.pl?sid=06/06/04/0415221
I guess my main choices would be either Toshiba or HP now, seriously Lnv is a real ass hole. Bye beloved IBM ThinkPad. For people who haven't have chance to look at the new Z series, the design is utterly ugly.
I have fun playing with Bro-IDS under FreeBSD, it is installed fine on FreeBSD 6.1R, here's are the note when I install it. You need to install the package below first
I have fun playing with Bro-IDS under FreeBSD, it is installed fine on FreeBSD 6.1R, here's are the note when I install it. You need to install the package below first
shell>pkg_add -vr p5-Config-General adns
Then just run the usual configure, make and make install, since I'm not integrating bro as the tool to provide alert data, I prefer it to be on /nsm for management wise, so that's what I do, again I use stow for source installation management. I untar the bro-1.1 and start my installation process with
shell>mkdir /nsm/stow
shell>./configure --prefix=/nsm/stow/bro-1.1
shell>make && make install
shell>make install-brolite
It will ask you a series of questions for configuration settings.
shell>cd /nsm/stow && stow bro-1.1
Installation are done now and you can start bro with
[root@trinity /nsm/stow]# /nsm/stow/bro-1.1/etc/bro.rc --start
bro.rc: Running as non-root user bro
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/stow/bro-1.1/bin/bro: problem with interface bge0 - pcap_open_live: (no devices found) /dev/bpf0: Permission denied
... FAILED
Since I get permission denied, I change the permission setting of bpf0
[root@trinity /nsm/stow]# ls -la /dev/bpf0
crw------- 1 root wheel 0, 115 Jun 6 07:28 /dev/bpf0
[root@trinity /nsm/stow]# chmod 604 /dev/bpf0
[root@trinity /nsm/stow]# /nsm/stow/bro-1.1/etc/bro.rc --start
bro.rc: Running as non-root user bro
bro.rc: Starting ............. SUCCESS
To check if it is running,
[root@trinity /nsm/stow]# ps auxww | grep bro
bro 17459 0.0 0.1 1760 1104 p3 I 10:29AM 0:00.03 /bin/sh /usr/local/stow/bro-1.1/etc/bro.rc --start
bro 17464 0.0 1.1 12716 11512 p3 R 10:29AM 0:04.76 /usr/local/stow/bro-1.1/bin/bro -W -i bge0 trinity.dissectible.org.bro
bro 17510 0.0 0.1 1760 1104 p3 I 10:29AM 0:00.00 /bin/sh /usr/local/stow/bro-1.1/etc/bro.rc --start
bro 17512 0.0 0.5 6836 5584 p3 S 10:29AM 0:00.12 /usr/local/stow/bro-1.1/bin/bro -W -i bge0 trinity.dissectible.org.bro print-filter.bro
Check if it adds the cron entry correctly,
[root@trinity /nsm/stow]# crontab -e
BROHOME=/nsm/stow/bro-1.1
# checkpoint Bro once a week
0 0 * * 1 /nsm/stow/bro-1.1/etc/bro.rc --checkpoint
10 00 * * * ( nice -n 19 /nsm/stow/bro-1.1/scripts/site-report.pl )
10 3 * * * (/nsm/stow/bro-1.1/scripts/mail_reports.sh /usr/local/stow/bro-1.1
/etc/bro.cfg)
0 3 * * * (/nsm/stow/bro-1.1/scripts/bro_log_compress.sh)
# If you are process logs on a front end host, add this:
#10 3 * * * (/nsm/stow/bro-1.1/scripts/push_logs.sh FrontendHost)
Bro suggests tweaking bpf buffer size and its max value, I tweak it manually, I'm thinking of testing this sysctl settings for my sguil sensor as well and guess it should be applicable.
shell>sysctl net.bpf.maxbufsize=8388608
shell>sysctl net.bpf.bufsize=4194304
To uninstall it cleanly, again we will make use of stow,
shell>cd /nsm/stow && stow -D bro-1.1
Go to the bro source directory and run
shell>make uninstall
shell>rm -rf /nsm/stow/bro-1.1
shell>make distclean
Now everything back to the previous state where you haven't installed bro-ids. Since bro-1.1 is installed cleanly, I supposed it should be easy to make into port/package, the FreeBSD package which is version which is version 0.8 is kinda dated, may need to email the porter for updates.
For sleuthkit on FreeBSD, you need to install the package below or else mactime won't work,
For sleuthkit on FreeBSD, you need to install the package below or else mactime won't work,
shell>pkg_add -vr p5-Date-Manip
Autopsy is not working when install via package, as it can't find Main.pm. Thus I install using port and it works now.
shell>cd /usr/ports/sysutils/autopsy && make && make install
Now what?!!! Of course snort, snort-2.6 Final is released, you may find out all interesting features and updates in the link below, go go snorting .....
http://www.snort.org/pub-bin/snortnews.cgi#445
Hopefully I can make to 300 blog posts !
Cheers (:])
No comments:
Post a Comment