node.cfg
networks.cfg
broctl.cfg
Let's start off with networks.cfg
root@securitynik:/opt/bro/etc# cat /opt/bro/etc/networks.cfg 192.168.0.0/24 SecurityNik LAN
For the node.cfg, bro runs in either standalone mode or clustered configuration. I will simulate a clustered configuration on one host. For the clustered configuration we need a Manager, Proxy and a Worker. Also I modified the local hosts file to resolve the following names:
root@securitynik:~# cat /etc/hosts 127.0.0.1 localhost 192.168.0.4 securitynik.n3.local securitynik 192.168.0.4 securitynik 192.168.0.4 n3-bro-mgr 192.168.0.4 n3-bro-proxy 192.168.0.4 n3-bro-worker
Once the hosts file as been modified, the following represents the node.cfg configuration.
root@securitynik:~# cat /etc/bro/node.cfg [n3-bro-mgr] type=manager host=n3-bro-mgr [n3-bro-proxy] type=proxy host=n3-bro-proxy [n3-bro-worker] type=worker host=n3-bro-worker interface=enp0s25
Next up let's configure the broctl.cfg. You should check this file to see if ther is anything needed to be modified for your site's specific configuration
root@securitynik:~# cat /opt/bro/etc/broctl.cfg | more ############################################### # Mail Options MailTo = root@localhost MailConnectionSummary = 1 MinDiskSpace = 5 MailHostUpDown = 1 ############################################### # Logging Options LogRotationInterval = 3600 LogExpireInterval = 0 StatsLogEnable = 1 StatsLogExpireInterval = 0 ############################################### # Other Options StatusCmdShowAll = 0 CrashExpireInterval = 0 SitePolicyScripts = local.bro LogDir = /opt/bro/logs SpoolDir = /opt/bro/spool CfgDir = /opt/bro/etc
Let's now load up broctl
root@securitynik:~# broctl
Then look at the current status
[BroControl] > status Name Type Host Status Pid Started n3-bro-mgr manager n3-bro-mgr stopped n3-bro-proxy proxy n3-bro-proxy stopped n3-bro-worker worker n3-bro-worker stopped
Once a change was made, we should do an install
[BroControl] > install removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ... removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ... creating policy directories ... installing site policies ... generating cluster-layout.bro ... generating local-networks.bro ... generating broctl-config.bro ... generating broctl-config.sh ... updating nodes ...
We then start the different services/roles
[BroControl] > start starting n3-bro-mgr ... starting n3-bro-proxy ... starting n3-bro-worker ...
Verify once again that all services are running
[BroControl] > status Name Type Host Status Pid Started n3-bro-mgr manager n3-bro-mgr running 993 27 Sep 21:58:08 n3-bro-proxy proxy n3-bro-proxy running 1039 27 Sep 21:58:10 n3-bro-worker worker n3-bro-worker running 1076 27 Sep 21:58:12
Looks good from above.
Looking at the logs below we see:
root@securitynik:~# ls /opt/bro/logs/ 2018-09-27 current
Looking specifically at the current logs
root@securitynik:~# ls /opt/bro/logs/current capture_loss.log dns.log known_services.log stats.log syslog.log communication.log files.log software.log stderr.log weird.log conn.log http.log ssl.log stdout.log x509.log
References:
https://www.digitalocean.com/community/tutorials/how-to-install-bro-on-ubuntu-16-04
https://www.bro.org/sphinx/quickstart/index.html
No comments:
Post a Comment