Bro 2.0 integration #147

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 23 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter
Need to fully integrate Bro 2.0.

Original issue reported on code.google.com by doug.bu...@gmail.com on 9 Nov 2011 at 4:32

@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Remove Bro 1.5.
Consider removing Bro 2.0 Beta and pushing new package with proper installation 
prefix.

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:34

  • Added labels: ****
  • Removed labels: ****
Remove Bro 1.5.
Consider removing Bro 2.0 Beta and pushing new package with proper installation 
prefix.

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:34

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Setup will need to update etc/node.cfg

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:40

  • Added labels: ****
  • Removed labels: ****
Setup will need to update etc/node.cfg

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:40

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

New package should update etc/networks.cfg to include 172.16.0.0/12

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:42

  • Added labels: ****
  • Removed labels: ****
New package should update etc/networks.cfg to include 172.16.0.0/12

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:42

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

SpoolDir and LogDir in etc/broctl.cfg need to point to /nsm

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:47

  • Added labels: ****
  • Removed labels: ****
SpoolDir and LogDir in etc/broctl.cfg need to point to /nsm

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:47

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Bro 2.0 Final has been released:
http://bro-ids.org/download/index.html

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 12:12

  • Added labels: ****
  • Removed labels: ****
Bro 2.0 Final has been released:
http://bro-ids.org/download/index.html

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 12:12

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

security-onion-upgrade.sh will need to remove Bro 2.0 Beta with the following:
apt-get -y remove bro bro-logs bro-spool

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 1:40

  • Added labels: ****
  • Removed labels: ****
security-onion-upgrade.sh will need to remove Bro 2.0 Beta with the following:
apt-get -y remove bro bro-logs bro-spool

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 1:40

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

echo "172.16.0.0/12       Private IP space" >> aux/broctl/etc/networks.cfg
sed -i 's|set(SPOOL ${PREFIX}/spool)|set(SPOOL /nsm/bro/spool)|g' 
aux/broctl/CMakeLists.txt 
sed -i 's|set(LOGS ${PREFIX}/logs)|set(LOGS /nsm/bro/logs)|g' 
aux/broctl/CMakeLists.txt 
./configure --prefix=/usr/local
make
checkinstall

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 2:59

  • Added labels: ****
  • Removed labels: ****
echo "172.16.0.0/12       Private IP space" >> aux/broctl/etc/networks.cfg
sed -i 's|set(SPOOL ${PREFIX}/spool)|set(SPOOL /nsm/bro/spool)|g' 
aux/broctl/CMakeLists.txt 
sed -i 's|set(LOGS ${PREFIX}/logs)|set(LOGS /nsm/bro/logs)|g' 
aux/broctl/CMakeLists.txt 
./configure --prefix=/usr/local
make
checkinstall

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 2:59

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Add the following to /etc/init/securityonion.conf to start Bro on boot:
/usr/local/bin/broctl start

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:27

  • Added labels: ****
  • Removed labels: ****
Add the following to /etc/init/securityonion.conf to start Bro on boot:
/usr/local/bin/broctl start

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:27

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Added cron entry as described in Quick Start Guide:
http://bro-ids.org/documentation/quickstart.html

Created /etc/cron.d/bro:

# /etc/cron.d/bro
#
# crontab entry to monitor Bro processes

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0-59/5 * * * * /usr/local/bin/broctl cron

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:30

  • Added labels: ****
  • Removed labels: ****
Added cron entry as described in Quick Start Guide:
http://bro-ids.org/documentation/quickstart.html

Created /etc/cron.d/bro:

# /etc/cron.d/bro
#
# crontab entry to monitor Bro processes

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0-59/5 * * * * /usr/local/bin/broctl cron

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:30

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Created new nsm package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-nsmnow-admin-scripts -v 20120113 /etc/init.d/nsm* 
/usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/cron.d/nsm* /etc/cron.d/bro* 
/etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:31

  • Added labels: ****
  • Removed labels: ****
Created new nsm package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-nsmnow-admin-scripts -v 20120113 /etc/init.d/nsm* 
/usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/cron.d/nsm* /etc/cron.d/bro* 
/etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:31

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Added the following (and some additional minor tweaks) to /usr/local/bin/setup:


# Bro
if grep -v "^#" /etc/nsm/sensortab > /dev/null
then
    NUM=1
        IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
    cp /usr/local/etc/node.cfg.securityonion /usr/local/etc/node.cfg
    sed -i "s|host=localhost|host=$IP|g" /usr/local/etc/node.cfg
    grep -v "^#" /etc/nsm/sensortab | awk '{print $4}' |while read INTERFACE
        do
                echo "* Configuring Bro to monitor $INTERFACE" | tee -a $LOG
        cat << EOF >> /usr/local/etc/node.cfg
[worker-$NUM]
type=worker
host=$IP
interface=$INTERFACE

EOF
        let NUM=NUM+1
        done
    /usr/local/bin/broctl install |tee -a $LOG
    /usr/local/bin/broctl start |tee -a $LOG
fi

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:18

  • Added labels: ****
  • Removed labels: ****
Added the following (and some additional minor tweaks) to /usr/local/bin/setup:


# Bro
if grep -v "^#" /etc/nsm/sensortab > /dev/null
then
    NUM=1
        IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
    cp /usr/local/etc/node.cfg.securityonion /usr/local/etc/node.cfg
    sed -i "s|host=localhost|host=$IP|g" /usr/local/etc/node.cfg
    grep -v "^#" /etc/nsm/sensortab | awk '{print $4}' |while read INTERFACE
        do
                echo "* Configuring Bro to monitor $INTERFACE" | tee -a $LOG
        cat << EOF >> /usr/local/etc/node.cfg
[worker-$NUM]
type=worker
host=$IP
interface=$INTERFACE

EOF
        let NUM=NUM+1
        done
    /usr/local/bin/broctl install |tee -a $LOG
    /usr/local/bin/broctl start |tee -a $LOG
fi

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:18

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Packaged /usr/local/bin/setup as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-setup -v 20120113 /usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:19

  • Added labels: ****
  • Removed labels: ****
Packaged /usr/local/bin/setup as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-setup -v 20120113 /usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:19

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Created /nsm/bro and packaged as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-bro-nsm -v 20120113 /nsm/bro

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:20

  • Added labels: ****
  • Removed labels: ****
Created /nsm/bro and packaged as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-bro-nsm -v 20120113 /nsm/bro

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:20

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Created node.cfg template (/usr/local/etc/node.cfg.securityonion) as follows:

# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
#[bro]
#type=standalone
#host=localhost
#interface=eth0

## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.

#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:21

  • Added labels: ****
  • Removed labels: ****
Created node.cfg template (/usr/local/etc/node.cfg.securityonion) as follows:

# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
#[bro]
#type=standalone
#host=localhost
#interface=eth0

## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.

#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:21

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Packaged /usr/local/etc/node.cfg.securityonion as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-bro-node-cfg -v 20120113 /usr/local/etc/node.cfg.securityonion

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:22

  • Added labels: ****
  • Removed labels: ****
Packaged /usr/local/etc/node.cfg.securityonion as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-bro-node-cfg -v 20120113 /usr/local/etc/node.cfg.securityonion

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:22

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Published:
http://securityonion.blogspot.com/2012/01/security-onion-20120113-now-available.
html

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:23

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Published:
http://securityonion.blogspot.com/2012/01/security-onion-20120113-now-available.
html

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:23

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment