Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bro 2.0 integration #147

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 23 comments
Closed

Bro 2.0 integration #147

GoogleCodeExporter opened this issue Mar 24, 2015 · 23 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Need to fully integrate Bro 2.0.

Original issue reported on code.google.com by doug.bu...@gmail.com on 9 Nov 2011 at 4:32

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Remove Bro 1.5.
Consider removing Bro 2.0 Beta and pushing new package with proper installation 
prefix.

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:34

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
1 similar comment
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Setup will need to update etc/node.cfg

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:40

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

New package should update etc/networks.cfg to include 172.16.0.0/12

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:42

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

SpoolDir and LogDir in etc/broctl.cfg need to point to /nsm

Original comment by doug.bu...@gmail.com on 9 Nov 2011 at 4:47

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
1 similar comment
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Bro 2.0 Final has been released:
http://bro-ids.org/download/index.html

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 12:12

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

security-onion-upgrade.sh will need to remove Bro 2.0 Beta with the following:
apt-get -y remove bro bro-logs bro-spool

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 1:40

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
1 similar comment
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

echo "172.16.0.0/12       Private IP space" >> aux/broctl/etc/networks.cfg
sed -i 's|set(SPOOL ${PREFIX}/spool)|set(SPOOL /nsm/bro/spool)|g' 
aux/broctl/CMakeLists.txt 
sed -i 's|set(LOGS ${PREFIX}/logs)|set(LOGS /nsm/bro/logs)|g' 
aux/broctl/CMakeLists.txt 
./configure --prefix=/usr/local
make
checkinstall

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 2:59

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Add the following to /etc/init/securityonion.conf to start Bro on boot:
/usr/local/bin/broctl start

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:27

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Added cron entry as described in Quick Start Guide:
http://bro-ids.org/documentation/quickstart.html

Created /etc/cron.d/bro:

# /etc/cron.d/bro
#
# crontab entry to monitor Bro processes

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0-59/5 * * * * /usr/local/bin/broctl cron

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:30

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Created new nsm package:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-nsmnow-admin-scripts -v 20120113 /etc/init.d/nsm* 
/usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/cron.d/nsm* /etc/cron.d/bro* 
/etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 12 Jan 2012 at 3:31

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Added the following (and some additional minor tweaks) to /usr/local/bin/setup:


# Bro
if grep -v "^#" /etc/nsm/sensortab > /dev/null
then
    NUM=1
        IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1`
    cp /usr/local/etc/node.cfg.securityonion /usr/local/etc/node.cfg
    sed -i "s|host=localhost|host=$IP|g" /usr/local/etc/node.cfg
    grep -v "^#" /etc/nsm/sensortab | awk '{print $4}' |while read INTERFACE
        do
                echo "* Configuring Bro to monitor $INTERFACE" | tee -a $LOG
        cat << EOF >> /usr/local/etc/node.cfg
[worker-$NUM]
type=worker
host=$IP
interface=$INTERFACE

EOF
        let NUM=NUM+1
        done
    /usr/local/bin/broctl install |tee -a $LOG
    /usr/local/bin/broctl start |tee -a $LOG
fi

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:18

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Packaged /usr/local/bin/setup as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-setup -v 20120113 /usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:19

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Created /nsm/bro and packaged as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-bro-nsm -v 20120113 /nsm/bro

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:20

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Created node.cfg template (/usr/local/etc/node.cfg.securityonion) as follows:

# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
#[bro]
#type=standalone
#host=localhost
#interface=eth0

## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.

#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:21

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Packaged /usr/local/etc/node.cfg.securityonion as follows:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-bro-node-cfg -v 20120113 /usr/local/etc/node.cfg.securityonion

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:22

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Published:
http://securityonion.blogspot.com/2012/01/security-onion-20120113-now-available.
html

Original comment by doug.bu...@gmail.com on 13 Jan 2012 at 5:23

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.