* Install zc.buildout:
At Ubuntu this is done via the command below
$ sudo apt-get install
* Run the buildout command to initialize and install the requirements
$ cp buildout.cfg
$ python
$ buildout2.7
* install mongodb server
$ sudo apt-get install mongodb-server
You may test the mongodb running my writing mongo to he command line
it you see an shell like below then you may continue with bro installation
$ mongo
MongoDB shell version: 2.0.4
connecting to: test
Requirements for Bro installation
$ sudo apt-get install libmagic-dev libgeoip-dev libpcap-dev libssl-dev libncurses5-dev g++ bison flex cmake swig2.0 make gcc g++ python-dev swig zlib1g-dev
$ ./configure --enable-debug
$ make
$ sudo make install
$ cd /usr/local/bro/bin
$ sudo broctl
$ install
$ start
$ stop
$ check
$ exit
$ /usr/local/bro/bin/bro -C -r should be working
* Bro is used both for protocol detection and TCP reassembly. To let Bro handle assemble the contents, a file should be changed. If you installed Bro to /usr/local/bro/ then edit the file /usr/local/bro/share/bro/base/protocols/conn/contents.bro as below
## If this variable is set to ``T``, then all contents of all connections
## will be extracted.
const default_extract = T &redef;
* make a directory named "uploads" where the file is.
$ mkdir uploads
$ chown a+w uploads
* tshark is required for an alternative method to detect application layer protocols where bro fails
$ sudo apt-get install tshark
* If you got backend errors like "django.core.exceptions.ImproperlyConfigured: 'django_mongodb_engine' isn't an available database backend."
install the django-mongodb backend manually
$ pip install hg+
$ pip install hg+
$ pip install git+
Django projects requires a table creation first
$ bin/django syncdb
The project uses hachoir Python library, install them also
$ sudo apt-get install python-hachoir-* (i should add this part to the buildout configuration also)
* to handle smtp, it is required to install tcpflow. After checking the results of Bro and Tcpflow, for smtp, the created flows files seem more manageable.
$ sudo apt-get install tcpflow
