Hello,
Finally, I installed bro IDS (1.5.1) on my Ubuntu(9.10) machine. Of course, that after the useful information I got from this mailing list. Thanks you all
So after:
./configure
make
make install-broctl
I did not do nay sort of configuration this because I am not sure what should I do.
I do not want to use Bro for intrusion detection in real time. I am more interested in using it in forensics and intrusion analysis.
Shortly, I have several network binary file is PCAP and TCPDUMP format. I want to parse these files with Bro and get the bro alerts in machine readab;e format (txt, csv, or whaterver).
1- Is that possible ( Usually I use snort and it is very easy to accomplish but I am planning to compare between Snort and Bro)?
2- What are the configurations that I need?
Thanks,
Sherif Saad
|
Shortly, I have several network binary file is PCAP and TCPDUMP format. I
want to parse these files with Bro and get the bro alerts in machine readab;e
format (txt, csv, or whaterver).1- Is that possible ( Usually I use snort and it is very easy to accomplish
but I am planning to compare between Snort and Bro)?
Definitely!
2- What are the configurations that I need?
Not much...
bro -f 'ip' -C -r your.pcap brolite
will run 'your.pcap' through bro while loading the brolite policy(which loads most things)
you could run it through specific policies by just running something like
bro -f 'ip' -C -r your.pcap http-request smtp irc
That should get you started.. you'll probably want to start writing your own
policy scripts to detect the specific things you are looking for and output
them in the format you want.
bro -f 'ip' -C -r your.pcap brolite
will run 'your.pcap' through bro while loading the brolite policy(which loads most things)
Yep. A minor nit: you shouldn't need "-f ip", as analysis scripts generally
include a tcpdump filter for the packets of interest; and you shouldn't
need -C *unless* the capture has bad checksums (which is usually not the
case, but can be for systems that are recording their own traffic, for
example).
Vern