Sunday, July 13, 2008

EmergingBro: HowTo

First of all, make sure you have Bro installed on your machine, or you can download it at http://bro-ids.org. If you are using HeX, Bro is installed by default. Once installed, you may find the directory structure of Bro looks like this -

shell>ls -la
total 34
drwxr-xr-x 15 analyzt wheel 512 Jul 10 17:36 ./
drwxr-xr-x 3 root wheel 512 Jul 10 07:51 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 archive/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 bin/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:39 etc/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 include/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:35 lib/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:01 logs/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 17:36 perl/
drwxr-xr-x 3 analyzt wheel 5120 Jul 10 17:59 policy/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 reports/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 17:36 scripts/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:51 share/
drwxr-xr-x 2 analyzt wheel 512 Jul 11 22:50 site/
drwxr-xr-x 2 analyzt wheel 512 Jul 10 07:51 var/

Please take note on few important directories -

policy directory contains all the policy and analysis scripts with the file extension .bro.

site directory contains site policy files which you can define or configure for specific site.

logs directory contains all the log files that are generated by bro.

etc directory contains bro configuration files, for start up and bro environment variable settings.

Obtain the latest signatures from Emerging Bro -

shell>cvs -d:pserver:anonymous@cvs.emergingthreats.net:/cvsroot/bro co emerging-bro

shell>cd emerging-bro

shell>ls -l
total 14
drwxr-xr-x 7 analyzt wheel 512 Jul 10 07:58 ./
drwxr-xr-x 4 analyzt wheel 512 Jul 10 07:55 ../
drwxr-xr-x 2 analyzt wheel 512 Jul 10 11:23 CVS/
drwxr-xr-x 3 analyzt wheel 512 Jul 10 07:58 CVSROOT/
drwxr-xr-x 3 analyzt wheel 1024 Jul 10 18:24 rules/
drwxr-xr-x 4 analyzt wheel 512 Jul 10 18:28 scripts/
drwxr-xr-x 17 analyzt wheel 512 Jul 10 11:23 sigs/

sigs directory contains all the individual signature in different category

rules directory contains main signature file for each category. For example emerging-bro-malware.sig contains all the signatures for MALWARE category.

scripts directory contains all the policy and analysis scripts that are contributed by the community members.

To perform quick test, you can use invoke the signature file using command line option -

Set Bro environment variables -

shell>. bro.cfg

Execute Bro -

shell>bro -s emerging-bro-all.sig -r whatever.pcap `hostname`

If you plan to run it in long term, it's best to edit the file generated during make install-brolite. The file name starts with your hostname, for example it is raWPacket.bro in HeX liveCD since my hostname is raWPacket. Just edit the following section in the file -

-----------------------------------------------------------------------
# To run signatures, uncomment the following line.
# @load brolite-sigs

@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";
@endif
-----------------------------------------------------------------------

To this -

@load brolite-sigs

redef signature_files += "emerging-bro-all.sig"

Please do note that other policy scripts must be loaded in order to have signatures invoked properly especially brolite.bro.

Enjoy ;]

1 comment:

fenris said...

$ cvs -d:pserver:anonymous@cvs.emergingthreats.net:/cvsroot/bro co emerging-bro
cvs checkout: CVS password file /home/fenris/.cvspass does not exist - creating a new file
cvs server: cannot find module `emerging-bro' - ignored
cvs [checkout aborted]: cannot expand modules