Installing BRO IDS on Kali Nethunter
So how does bro work?
This blog post assumes you already have a device running Kali Nethunter and are familiar with the unix terminal commands. I will not be documenting how to installing Kali Nethunter onto Nexus and One Plus devices as that is out of the scope of this blog.
Now onto the good stuff... We are going to be installing bro from source as opposed to using pre-compiled binary packages. We are doing this because we want the flexibility to customize bro as we wish.
Update Kali Nethunter
First things first, you need to launch Kali in terminal. Simply open the Kali launcher app, click on the top-right menu button and select Kali launcher. Then click on "Launch Kali Shell in Terminal"
We will use the terminal for entire installation process. This calls for a lot of caution and attentiveness to avoid making errors and messing up the file system.
We will start by preparing Nethunter for the installation. It's good practice to ensure all the packages are updated and upgraded to the most recent version available before beginning the installation.
- apt-get update
- apt-get upgrade
Now we install all of Bro's dependencies to ensure we have a smooth install. Please ensure you have a reliable and stable internet connection for download.
- apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev libgeoip-dev libelf-dev libcurl4-gnutlss-dev
Prepare the IPv4 Database:
- mkdir /usr/share/GeoIP/
- wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
- gunzip GeoLiteCity.dat.gz
- cd GeoLiteCity/
- cp GeoLiteCity.dat /usr/share/GeoIP/GeoLiteCity.dat
- cd ..
- wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
- gunzip GeoLiteCityv6.dat.gz
- cd GeoLiteCityv6/
- cp GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat
- cd ..
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
Run the following commands to link the downloaded files:
- mkdir -p /nsm/bro
- wget https://www.bro.org/downloads/release/bro-2.4.tar.gz
- tar -zxvf bro-2.4.tar.gz
- cd bro-2.4/
- ./configure --prefix=/nsm/bro
- make
The make process takes about 30min to compile, then again it could be because i was running it on my Nexus 5 with tons of apps and some demanding applications running in the background. The duration may vary from device to device.
Now lets take the compiled binaries in the previous step and push them to the respective directories.
- make install
- echo "export PATH=$PATH:/nsm/bro/bin" >> ~/.bash_profile
- echo "export PATH=$PATH:/opt/nsm/bro/bin" >> ~/.bashrc
- source ~/.bashrc
- $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
- $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )
- $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
- lo - Localhost interface
- sit0 - Point to point tunnel interface (IPv6-in-IPv4)
- rmnet0 - Mobile data interface (GPRS)
- p2p0 - Peer to peer communication interface
- rndis0 - USB tethering interface
- wlan0 - Internal WiFi interface
- wlan1 - External WiFi adapter via USB OTG
- 10.0.0.0/8 Private IP space
- 192.168.0.0/16 Private IP space
- echo "/nsm/bro/bin/broctl start" >> /etc/rc.local
- crontab -e
- 0-59/5 * * * * /nsm/bro/bin/broctl cron
- cd /nsm/bro/bin
- ./broctl stop
- sed -i -e 's/$current_interface/$new_interface/g' /nsm/bro/etc/node.cfg
- ./broctl deploy
On the next blog, i will focus on the various log data that bro produces as well as how to visualize the data you will be collecting.
Update:
After playing around with bro, I decided to script the bro installation process to make it easier to install and update the interfaces you are monitoring. You can download them here. The scripts should run in the the kali nethunter environment. Simply download them to the sdcard, enter into kali terminal, copy the file to the current directory, extract the zip file and run the respective script.
References:
- https://www.bro.org/sphinx/intro/
- https://www.bro.org/documentation/
- https://www.bro.org/sphinx/install/install.html
- https://www.bro.org/sphinx/quickstart/
- https://prezi.com/g4nahoes3nuj/bro-ids-introduction/
- https://www.digitalocean.com/community/tutorials/how-to-install-bro-ids-2-2-on-ubuntu-12-04
- https://github.com/Security-Onion-Solutions/security-onion/wiki/NetworkConfiguration
- http://www.icir.org/vern/papers/bro-CN99.html
- http://www.ijarcce.com/upload/august/4-A%20brief%20study%20and%20comparison%20of.pdf
- http://ryesecurity.blogspot.co.ke/search?q=bro&max-results=20&by-date=true
- http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html
- http://opensecgeek.blogspot.co.ke/search?q=bro&max-results=20&by-date=true
- https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/paxson/paxson.pdf