What Will I Learn?

In This Tutorial, We will learn the BRO Network Security Monitor Tool . First of All , We wanted to know What is BRO .

BRO : BRO is an Intrusion Detection System. It is a Powerful network analysis framework . It is Adaptable, Efficient, Flexible, Open Interfaces.It is compared to a Network Intrusion detection System(NIDS). It can be used for Collecting network measurements, conducting forensic investigations, traffic baselining and helping with trouble shooting .It provides Users with a domain specific , Turing complete Scripting language for expressing analysis task. BRO Network Security Monitoring Tool has developed by C++ language.

• In this Tutorial, We will learn the BRO Intrusion Detection System ( IDS )
• Also Learn the BRO IDS Command .

Requirements

There are some requirements for this tutorial , that's are given below :

• Kali Linux Operating System and Python 2.6 or greater (for BroControl)
• Libpcap (http://www.tcpdump.org) and OpenSSL libraries ( http://www.openssl.org )
• BIND8 library , Bash (for BroControl)

Difficulty

There is no difficulty in this tutorial. It is easy to learn .

• Basic

Tutorial Contents

In this Tutorial , We are discussing about the BRO Network Security Monitoring Tool. BRO has some features. Let's discuss about that features in given below :

Deployment :

(i) Runs on commodity hardware on standard UNIX-style systems (including Linux, FreeBSD, and Mac OS).
(ii) Real-time and offline analysis.
(iii) Cluster-support for large-scale deployments.
(iv) Open-source under a BSD license.

Analysis :

(i) Comprehensive logging of activity for offline analysis and forensics.
(ii) Support for many application-layer protocols (including DNS, FTP, HTTP, IRC, SMTP, SSH, SSL).
(iii) Comprehensive IPv6 support.

Scripting Language :

(i) Turing-complete language for expression arbitrary analysis tasks.
(ii) Event-based programming model.
(iii) Domain-specific data types such as IP addresses (transparently handling both IPv4 and IPv6), port numbers, and timers.

Interfacing :

(i) Real-time integration of external input into analyses. Live database input in preparation.
(ii) Ability to trigger external processes from within the scripting language.

Reference Link : https://www.bro.org/index.html

BRO Download Link : https://www.bro.org/download/index.html

Let's see the BRO network security monitoring tool Command :
BRO Network security monitoring Tool download from Source with Kali Linux Command :

git clone --recursive git://git.bro.org/bro

Here , We will see the Configuration and Installation Process Command :

./configure
make
make install 

There are some requirements for Installation dependencies-

DEB/Debian-based Linux:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Configure the run time Environment : Let's see a command for configuring the run time environment-

export PATH=/usr/local/bro/bin:$PATH

Now, We will discuss the BRO Control Command :
We can write the BRO Control command like -

broctl

Let's see the BRO Control Intallatin Configuration Command :

[BroControl] > install

Start Up a BRO -

[BroControl] > start

We can want to leave the running script in that given commands -

[BroControl] > stop

We can also check the Traffic Analysis with BRO -

$ bro –r sample1.pcap local 

Custom Scripts Of BRO : Let's see a Custom Scripts of BRO command in Kali Linux-

/opt/bro/share/bro/site/local.bro

Also You can add Custom Scripts and referencing the custom scripts that's are given :

/opt/bro/share/bro/policy/

If We want , We can create a new directory under the new Custom Scripts BRO Policy-

sudo mkdir /opt/bro/share/bro/policy/custom-scripts

Add Your Custom Scripts to the directory -

__load__.bro

then See the Modify Scripts in the directory -

@load ./script1.bro
@load ./script2.bro

We can easily restart the BRO with given command:

sudo nsm_sensor_ps-restart --only-bro

Monitoring Live Traffic : In this tutorial , we also see the Live traffic of the network monitoring traffic along with the given commands :

bro -i en0 <list of scripts to load>

packet Capture Files : we can see the capture files from an interface and we can write a file like this -

sudo tcpdump -i en0 -s 0 -w mypackets.trace

After Capturing the traffic, We can write this command -

bro -r mypackets.trace

Local Sit Customization : To Use this Site Specific we can easily use local.bro . Let's see the command -

bro -i en0 local

Running BRO WithOut Installing : Here , We discuss about the BRO IDS Running WithOut Installing . Sometimes we see the developer running the BRO from the directory-

./configure
make
source build/bro-path-dev.sh
bro <options>

---

Posted on Utopian.io - Rewarding Open Source Contributors

---