Simple install script for Snort/Bro IDS with JSON logging on FreeBSD
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
hunter-nsm.sh

README.md

Hunter NSM

Simple install script for Snort/Bro IDS with JSON logging on FreeBSD

Copyright (C) 2015 Michael Shirk, Daemon Security Inc.

Hunter NSM is a modular platform for deploying network sensors. Instead of adding additional security vulnerabilities with the addition of numerous tools, Hunter provides a minimalist approach to achieving full network monitoring with Bro NSM and Snort IDS.

Features and Capabilities

  • Automates the installation of Snort or Bro on a FreeBSD server
  • Configures JSON output using ids-tools and Bro native JSON output to work with any type of logging tool.
  • Uses PulledPork to automate signature updates
  • Configures startup scripts to work with FreeBSD

Key features of Hunter NSM

All logging is configured to output to the /nsm directory (/nsm/bro2 for Bro, /nsm/snort for Snort). Before running the script, ensure that you have a enough disk space to log the security data.

Custom configs for Snort:

/usr/local/bin/snortUpdate.sh This script runs PulledPork and restarts Snort for rule updates

/usr/local/bin/snortStartup.sh This script starts u2json by way of /etc/rc.local and reads the snort output from /var/log/snort and writes out JSON events.

/usr/local/bin/du2json This script runs u2json with the necessary command line arguments.

Custom configs for Bro:

/opt/bro2/share/bro/site/local.bro Updated the default site policy for JSON output