Module for Bro IDS
- Bro version 2.5.3 RELEASE
- Install and update Bro NIDS on a remote server.
- Configure the settings and test the configuration.
- Add, Delete, Update scripts and signatures.
- Test signatures and scripts compliance.
- Test signatures and scripts via Pcap.
- Add data to the Intelligence Framework (IP, URL, Domain ...) possibility to import them in csv format.
- Group rules into groups and assign them to probes.
- Pull feeds from Critical Stack.
Install with ProbeManager
- Name: Give a unique name for this instance, example: server-tap1_bro.
- Secure deployment: Specify if you want rules to be verified at each deployment.
- Scheduled rules deployment enabled: Enable scheduled deployment of rules.
- Scheduled check enabled: Enable instance monitoring. (Check if the probe is active)
- Server: Specify the server for the probe.
- Probe already installed: Specify if the probe is already installed.
- Rulesets: Choose the sets of rules that will be deployed on this probe.
- Configuration: Give the configuration of the probe.
Allows you to modify the Bro configuration.
- broctl.cfg: Change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
- node.cfg: Set the right interface to monitor.
- networks.cfg: Comment out the default settings and add the networks that Bro will consider local to the monitored environment.
- local.bro: The main entry point for the default analysis configuration of a standalone Bro instance managed by BroControl.
Allows you to add a Bro Intel.
- indicator: The value
- indicator_type: List of types available.
- meta.source: An arbitrary string value representing the data source. This value is used as a unique key to identify a metadata record in the scope of a single intelligence item.
- meta.desc: A freeform description for the data.
- meta.url: A URL for more information about the data.
Intels are deployed at each deployment of the rules by a Bro instance.
- API Key: API Key of your Sensor.
- Schedulled pull: Give a crontab to plan a pull of intel from feeds.
- Bros: Select Bro instances to apply.
- 'Uptime' Indicate the time elapsed since the last time the application was started.
- 'Refresh Instance Status' is a button to know the status of the application (running or not).
- 'Update instance', you need to edit the configuration file to change the version number you want.
- 'Deploy configuration', copy configuration files to the remote server, and reload the Bro instance.
- 'Deploy rules', copy rules (signatures and scripts) files to the remote server, and reload the Bro instance.
The problem with Bro scripts is that they are not necessarily independent of each other, which is why it's complicated to test them. To solve this problem, it necessary to test all the scripts of an instance at the same time.
Warning: Bro default scripts are not in database.