Friday, April 06, 2007

Bro Basics

When I wrote The Tao of Network Security Monitoring I discussed Bro, another open source intrusion detection system frequently ignored by other authors (at least back when I wrote Tao). I haven't used Bro in production but blogging by my friend Geek00l about Bro convinced me I needed to take a second look at Bro. In this post I'd like to document what I needed to do to get Bro running on a test sensor.

I made a directory called /usr/local/bro-1.2.1 owned by user analyst. Then I acted as follows:

cel433:/usr/local/src$ fetch ftp://bro-ids.org/bro-1.2.1-devel.tar.gz
...edited...
cel433:/usr/local/src$ tar -xzvf bro-1.2.1-devel.tar.gz
...edited...
cel433:/usr/local/src/bro-1.2.1$ which flex
/usr/bin/flex
cel433:/usr/local/src/bro-1.2.1$ which bison
/usr/local/bin/bison
cel433:/usr/local/src/bro-1.2.1$ ls -ald /usr/local/bro-1.2.1
drwxr-xr-x 2 analyst analyst 512 Apr 6 19:42 /usr/local/bro-1.2.1
cel433:/usr/local/src/bro-1.2.1$ ./configure --prefix=/usr/local/bro-1.2.1
...edited...
Bro Configuration Summary
==========================================================

- Debugging enabled: no
- OpenSSL support: yes
- Non-blocking main loop: yes
- Non-blocking resolver: yes
- Installation prefix: /usr/local/bro-1.2.1
- Perl interpreter: /usr/local/bin/perl5
- Using basic_string: yes
- Using libmagic: Yes
- Using libclamav: No
- Pcap used: system-provided

cel433:/usr/local/src/bro-1.2.1$ make
...edited...
cel433:/usr/local/src/bro-1.2.1$ make install
...truncated...

Pretty simple so far. According to the Quick Start Guide the easiest way to get going is to use the brolite configuration script, so I used that next. I did not run this as root, so as a result a few of the operations failed (my fault). I note them below. None were fatal.

cel433:/usr/local/src/bro-1.2.1$ make install-brolite
...edited...
/usr/bin/install -c -d /usr/local/etc/rc.d/
install: chmod 755 /usr/local/etc/rc.d/: Operation not permitted
...edited...
Running Bro Configuration Utility

Configure settings in bro.cfg? (YES/no) [YES]
Values enclosed in '[ ]'s are the default value set if you hit return.

Using defaults from bro.cfg.example
You need to be root when you run this script for it to
be fully effective. Please login as root and rerun this
script (or the make install that called this script).

This script will run as a non-root user, but it will not
be able to tune the system or install system files.
It will only be able to create a bro.cfg file.
Checking interfaces ....Done.
Log archive directory [/usr/local/bro-1.2.1/archive]
User id to install and run Bro under [analyst]
Interface name to listen on. The default is to use the busiest one found. [dc0]
Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [taosecuritycom]
Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm) [0010]
How often (in hours) to generate an activity report [24]
Email reports? (YES/no) [YES]
Email address for local reports to be mailed to [bro@localhost] analyst@localhost
Do you want to encrypt email reports (YES/NO) [NO]
*** You need to hand edit your local networks in the file
*** /usr/local/bro-1.2.1/site/local.site.bro. Please read the file for an
*** example of what it should look like

Bro Configuration Finished.
Press any key to now to continue.
...edited...
/usr/bin/install -c bro.rc /usr/local/etc/rc.d/bro.sh
install: /usr/local/etc/rc.d/bro.sh: Permission denied
*** Error code 71 (ignored)
(cd s2b ; make install)
Making install in bro-include
...edited...
FreeBSD: Registering installation in the package database
Cannot create directory /var/db/pkg/bsdpan-Config-General-2.27: Permission denied
...edited...
Writing /usr/local/bro-1.2.1/perl/lib/perl5/site_perl/5.8.8/mach/auto/Bro/
.packlist
FreeBSD: Registering installation in the package database
FreeBSD: Cannot determine short module description
FreeBSD: Cannot determine module description
Cannot create directory /var/db/pkg/bsdpan-Bro-Utilities-1.2: Permission denied
Appending installation info to /usr/local/bro-1.2.1/perl/lib/perl5/5.8.8/mach/
perllocal.pod
/usr/sbin/chown -R `cat scripts/bro_user_id` /usr/local/bro-1.2.1/
*********************************************************
Please run "/usr/local/bro-1.2.1/etc/bro.rc --start" to start bro
*********************************************************

I made the following changes to account for the IP I would have Bro monitor.

cel433:/usr/local/bro-1.2.1/site$ diff local.site.bro.orig local.site.bro
12c12
< 192.168.1.0/24,
---
> #192.168.1.0/24,
14c14,15
< 10.1.0.0/16
---
> #10.1.0.0/16
> 69.143.202.28/32

I tried to start Bro.

cel433:/root# /usr/local/bro-1.2.1/etc/bro.rc --start
bro.rc: Running as non-root user analyst
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro-1.2.1/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
/usr/local/bro-1.2.1/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
/usr/local/bro-1.2.1/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
/usr/local/bro-1.2.1/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
/usr/local/bro-1.2.1/bin/bro: problem with interface dc0
- pcap_open_live: (no devices found) /dev/bpf0: Permission denied
... FAILED

Hmm. Let's change permissions on /dev/bpf0:

cel433:/root# ls -al /dev/bpf0
crw------- 1 root wheel 0, 104 Mar 6 21:42 /dev/bpf0
cel433:/root# chmod 644 /dev/bpf0
cel433:/root# /usr/local/bro-1.2.1/etc/bro.rc --start
bro.rc: Running as non-root user analyst
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro-1.2.1/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
/usr/local/bro-1.2.1/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
/usr/local/bro-1.2.1/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
/usr/local/bro-1.2.1/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
/usr/local/bro-1.2.1/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
/usr/local/bro-1.2.1/bin/bro: problem with interface dc0
- pcap_open_live: (no devices found) /dev/bpf1: Permission denied
... FAILED

Weird. Now it's trying to use /dev/bpf1. Let me change all /dev/bpf*:

cel433:/root# /usr/local/bro-1.2.1/etc/bro.rc --start
bro.rc: Running as non-root user analyst
bro.rc: Starting ............. SUCCESS

Cool, it's running:

cel433:/root# ps -auxww | grep bro
analyst 11237 3.9 11.1 14560 13472 p4 R 9:23PM 0:05.45
/usr/local/bro-1.2.1/bin/bro -W -i dc0 cel433.taosecurity.com.bro
analyst 11232 0.0 1.0 1724 1188 p4 I 9:23PM 0:00.03 /bin/sh
/usr/local/bro-1.2.1/etc/bro.rc --start
root 11455 0.0 0.2 348 208 p4 R+ 9:25PM 0:00.00 grep bro

As you can tell from user analyst's crontab, Bro will be sending some reports periodically.

cel433:/root# exit
cel433:/usr/local/src/bro-1.2.1$ crontab -l
BROHOME=/usr/local/bro-1.2.1
# checkpoint Bro once a week
0 0 * * 1 /usr/local/bro-1.2.1/etc/bro.rc --checkpoint
10 00 * * * ( nice -n 19 /usr/local/bro-1.2.1/scripts/site-report.pl )
10 3 * * * (/usr/local/bro-1.2.1/scripts/mail_reports.sh
/usr/local/bro-1.2.1/etc/bro.cfg)
0 3 * * * (/usr/local/bro-1.2.1/scripts/bro_log_compress.sh)
# If you are process logs on a front end host, add this:
#10 3 * * * (/usr/local/bro-1.2.1/scripts/push_logs.sh FrontendHost)

A look in the logs directory shows what Bro is doing:

cel433:/usr/local/bro-1.2.1/logs$
active_log
alarm.cel433.07-04-06_21.23.15
conn.cel433.07-04-06_21.23.15
ftp.cel433.07-04-06_21.23.15
http.cel433.07-04-06_21.23.15
info.cel433.07-04-06_21.23.15
irc.cel433.07-04-06_21.23.15
notice.cel433.07-04-06_21.23.15
signatures.cel433.07-04-06_21.23.15
smtp.cel433.07-04-06_21.23.15
software.cel433.07-04-06_21.23.15
step.cel433.07-04-06_21.23.15
weird.cel433.07-04-06_21.23.15

For one example, here is what Bro thought of an IRC session it saw:

cel433:/usr/local/bro-1.2.1/logs$ cat irc.cel433.07-04-06_21.17.44-07-04-06_21.17.44
1175908697.639398 #1 new connection 69.143.202.28/32819 > 140.211.166.3/IRC
1175908750.810028 #1 user 'deviousz' leaving

Here's an example of Bro's connection tracking output.

cel433:/usr/local/bro-1.2.1/logs$ tail conn.cel433.07-04-06_21.23.15
1175911505.255911 ? 69.143.202.28 72.14.219.191 http 42774 80 tcp ? ? OTH L
1175911814.254729 10.202526 69.143.202.28 72.14.247.83 https 42793 443 tcp 1855 2167 SF L
1175911554.973023 ? 69.143.202.28 66.102.15.100 http 42717 80 tcp ? ? OTH L
1175911556.929263 ? 69.143.202.28 66.249.81.147 http 42733 80 tcp ? ? OTH L
1175911561.989633 ? 69.143.202.28 66.150.96.119 http 42740 80 tcp ? ? OTH L
1175911561.997082 ? 69.143.202.28 66.150.96.119 http 42741 80 tcp ? ? OTH L
1175911610.239664 ? 69.143.202.28 216.239.37.104 http 42758 80 tcp ? ? OTH L
1175911611.042594 ? 69.143.202.28 66.102.1.147 http 42764 80 tcp ? ? OTH L
1175911611.057809 ? 69.143.202.28 66.102.1.147 http 42765 80 tcp ? ? OTH L

The brolite script made this process much easier than the installation I did several years ago!

There is a lot of information available, and I'm only using the default brolite configuration. If you look at the Bro documentation, mailing list, Wiki, or Geek00l's blog, you'll see a ton of other capabilities. For now I'm going to try to make sense of what I have, and then enable other features as I learn more.

1 comment:

Matthew Lee Hinman said...

One of the annoying things about this is that every time you reboot (at least on my FreeBSD 6.2 machine), the permissions for /dev/bpf* get reset, so bro can't run again. Extremely annoying.