-
Notifications
You must be signed in to change notification settings - Fork 3
/
Brotos.txt
97 lines (85 loc) · 7.38 KB
/
Brotos.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
1) Choose one of the mirrors from the following link and download Centos 7 ISO.
http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1511.iso
2) Open VirtualBox and create a new virtual machine with centos running on it. If you are not sure how to do that, you can check my tutorial on creating virtual machines on VirtulBox.
3) Once you reboot your virtual machine after installation, type "yum update" and then "yum upgrade".
4) Execute "yum group install "Development Tools"".
5) Install dependencies: "yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel perl"
6) yum install GeoIP-devel to enable geolocating of IP addresses.
In order to download geoip database install wget (yum install wget) and then execute the following commands:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz
Then move it to required folder:
mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
7) Install gawk to enable bro-cut features
yum install gawk
8) Install gperftools to improve CPU usage.
yum install gperftools
9) Install epel
yum -y install epel-release
10) After installing Bro, it is better to check if all the required dependencies are installed. If not installed, Bro will not give any errors, but some of its features may not work as expected. To check if runtime dependencies are installed, execute the following command:
yum -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP jemalloc
And to check build dependencies, execute the following command:
yum -y install @development libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel jemalloc-devel swig rpmdevtools
11) AF_PACKET requires kernel-devel, so install it as follows:
yum install -y kernel-devel-$(uname -r)
12) Now, we are hopefully done with dependencies, so we can move on to installation of bro. Get the desired download link for the desired Bro version and issue the following commands:
wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz
tar -xvf bro-2.4.1
cd bro-2.4.1
./configure
make
make install
13) After these steps, you should find bro under /usr/local/bro unless you explicitly specified a different path.
14) In order to successfully run Bro, you need to make a few configurations. For that, go to /usr/local/bro/etc/networks.cfg file and add your desired IP mask. Also there is broctl.cfg file under the same directory, which performs general adjustments for bro, like bro mailing options or log refresh options. You can change LogRotationInterval to 86400 in order to save logs each day. Also you can change LogExpireInterval field to delete logs after a certain amount of time. Also LogDir field asserts directory to which logs are saved. CfgDir field is used to show location of other configuration files, and finally SitePolicyStandalone field indicates the script that Bro will look for. Also modify nodes.cfg according to your needs.
15) To run bro and broctl from anywhere, type the following command:
export PATH=/usr/local/bro/bin:$PATH
Do not forget that this change will be effective only for the time being, to make it permanent modify ~/.bashrc and add the above line.
16) You can check bro status by typing broctl in command line and then typing status. You can use check command in broctl to check bro scripts, install to install these scripts and start or restart to start bro. Note that you should issue install command before issuing check command, otherwise you may see some errors.
17) After these, your Bro should be running. You can see the logs under /usr/local/bro/logs/current/ directory. Bro automatically generates different types of log files depending on your network traffic. You can see the possible log file types Bro supports and which information these log files present in https://www.bro.org/sphinx-git/script-reference/log-files.html.
18) Bro comes with many scripts, some of which are not even loaded in default configuration. For example, if you want to enable file extraction, there is a bro script (/frameworks/files/extract-all-files.bro) which extracts files. You can load this script by adding @load /frameworks/files/extract-all-files in local.bro file.
19) In order to perform some maintenance tasks automatically, like restarting the bro if stopped abnormally or erasing expired log files, issue "crontab -e" command and add the following line:
* 0-23/1 * * * /usr/local/bro/bin/broctl cron
Note that you can adjust the time parameters, above line will perform every one hour.
20) One important thing to note here is that bro may cause capture losses without dropped packets. You may not notice it since there will be no record indicating there are dropped packets. However, still there may be capture losses. The main reason for this is misconfiguration of Ethernet interface. TCP segmentation offload and generic segmentation offload may cause this problem, which loeads to observation of packets much larger than the MTU of the interface which thereupon may interfere with the maximum packet capture size. The solution is to disable the interface's offloading features. To do so, issue the following commands:
ethtool -K eth0 tso off
ethtool -K eth0 gso off
ethtool -K eth0 gro off
ethtool -K eth0 lro off
ethtool -K eth0 ufo off
ethtool -K eth0 rx off
ethtool -K eth0 tx off
ethtool -K eth0 sg off
You can do these in one line, but I strongly recommend you to perform each of these separately and check if the problem is fixed after exectution of each command. The reason for this is that turning some of these features may cause problems later. Therefore, you should start with tso and follow the order used above.
File Extraction with Bro
In order to extract files with Bro, you can use Bro's own extract-all-files.bro script or you can use https://github.com/hosom/bro-file-extraction. Also you can change bro-file-extraction to show filenames by changing main.bro as follows:
load ./file-extensions
module FileExtraction;
export {
## Path to store files
const path: string = "" &redef;
## Hook to include files in extraction
global extract: hook(f: fa_file, meta: fa_metadata);
## Hook to exclude files from extraction
global ignore: hook(f: fa_file, meta: fa_metadata);
}
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( meta?$mime_type && !hook FileExtraction::extract(f, meta) )
{
if ( !hook FileExtraction::ignore(f, meta) )
return;
if ( meta$mime_type in mime_to_ext )
local fext = mime_to_ext[meta$mime_type];
else
fext = split_string(meta$mime_type, /\//)[1];
local fname = fmt("%s%s-%s.%s", path, f$source, f$id, fext);
if ( f?$info && f$info?$filename)
fname = fmt("%s%s-%s-%s", path, f$source, f$id, f$info$filename);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
}
Logging in json format
1) Check if json-logs.bro exists, it should reside under $PREFIX/share/bro/policy/tuning/, if not, you can find it online.
2) Insert "@load $PREFIX/share/bro/policy/tuning/json-logs.bro" to local.bro.
3) Then run broctl, check configuration for any errors, install the scripts and restart bro. After that you should be seeing logs in json format.