novaha-bro-training

Bro Crash Course

Facilitors:

Liam Randall <[email protected]>
Scott Runnels <[email protected]>

Prerequisites

SecurityOnion

A copy of SecurityOnion installed into a VM. Simply install it; you do not need to run the "Setup" wizard and actually enable the SO Suite of tools for active usage.

If you are using VMWare please also install VMWare Tools into your new SecurityOnion VM; if VirtualBox please make sure to install the Guest Additions.

Git Hub

If you do not already have a github account, please take the time to create one now. For the class we will be cloning repositories for configuration demonstrations, customization examples, and programming demo's. You can quickly install Git onto your SO Box with:

sudo apt-get install git

From there please follow the following steps to create your git account, create your first test repo, and then fork a sample repo:

https://help.github.com/articles/set-up-git
https://help.github.com/articles/create-a-repo
https://help.github.com/articles/fork-a-repo

Bro Introduction

Install the demonstrationss for today

git clone git://github.com:LiamRandall/bro-scripts.git bro-scripts
git clone git://github.com:LiamRandall/novaha-bro-training.git novaha-bro-training

Overview

Setup Your Development Environment

Setup Sublime-2 with Syntax Highlighting

Download Sublime:

http://www.sublimetext.com/2
tar -xvjpf Sublime Text 2.0.1 x64.tar.bz2

Go ahead and start Sublime for the first time:

cd Sublime Text 2/
./sublime_text to launch

Enter the Sublime control window with the shortcut CONTROL+TICK; the tick: ` is in the top left corner under the tilda: ~:

ctrl+`

Install package control window just cut and paste the following:

import urllib2,os; pf='Package Control.sublime-package'; ipp=sublime.installed_packages_path(); os.makedirs(ipp) if not os.path.exists(ipp) else None; urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler())); open(os.path.join(ipp,pf),'wb').write(urllib2.urlopen('http://sublime.wbond.net/'+pf.replace(' ','%20')).read()); print 'Please restart Sublime Text to finish installation'

Bro Basics

Bro Customization Points

Install the Bro APT1 Report Module:

sudo apt-get install -y git
cd /opt/bro/share/bro/site/
sudo git clone git://github.com/sethhall/bro-apt1.git apt1
echo "@load apt1" | sudo tee -a local.bro

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
apt1-demo		apt1-demo
ftp		ftp
ssh		ssh
teredo		teredo
zeus-v3		zeus-v3
.gitignore		.gitignore
README.md		README.md
favicon_fail.pcap		favicon_fail.pcap
http-dir-buster-www.example.com.pcap		http-dir-buster-www.example.com.pcap

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

novaha-bro-training

Bro Crash Course

Facilitors:

Prerequisites

SecurityOnion

Git Hub

Bro Introduction

Setup Your Development Environment

Bro Basics

Bro Customization Points

Searching Logs

Scripting Approach

Overview

Programming Examples

HTTP Bruteforcing

Overview

Count All the Things

Notice Framework: Cluster Safe Logging

Problem Approach

Metrics Framework: Cluster Safe Couting

About

Releases

Packages

Languages

LiamRandall/novaha-bro-training

Folders and files

Latest commit

History

Repository files navigation

novaha-bro-training

Bro Crash Course

Facilitors:

Prerequisites

SecurityOnion

Git Hub

Bro Introduction

Setup Your Development Environment

Bro Basics

Bro Customization Points

Searching Logs

Scripting Approach

Overview

Programming Examples

HTTP Bruteforcing

Overview

Count All the Things

Notice Framework: Cluster Safe Logging

Problem Approach

Metrics Framework: Cluster Safe Couting

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages