BRO-IDS / Brownian / ElasticSearch Installation

bro-eyesWhile focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyberinfrastructure. Bro’s user community includes major universities, research labs, supercomputing centers, and open-science communities.

I’ve found the Internet lacking of a straight-forward method for installing BRO-IDS with Brownian and Elasticsearch. Therefore, my hope is that this will ease the struggles of getting up and running.

Download and install Ubuntu 14.04 LTS.

Do not apply updates.

Install Java-7
apt-get install openjdk-7-jre-headless

Install Git
apt-get install git

Install ElasticSearch

Using the package manager, using the following:

wget -qO – https://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add –

sudo add-apt-repository “deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main”

sudo apt-get update && sudo apt-get install elasticsearch

sudo update-rc.d elasticsearch defaults 95 10

service elasticsearch start

Load Prerequisites for BRO/ELS-JSON

apt-get install libcurl4-gnutls-dev

Manually compile and configure BRO

wget https://www.bro.org/downloads/release/bro-2.3.2.tar.gz

Install dependencies –

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

tar –xvf bro-2.3.1.tar.gz
cd bro-2.3.1

./configure

Make certain that cURL and Elasticsearch are displayed as supported.

make && make install

Add the following to the bottom of local.bro

@load tuning/logs-to-elasticsearch  

Installation of Brownian

git clone https://github.com/pypa/virtualenv.git

python ./virtualenv.py /opt/Brownian
cd Brownian
source ./bin/activate

pip install git+https://github.com/grigorescu/Brownian.git

Change ELASTICSEARCH_SERVER in Brownian/lib/python2.X/site-packages/Brownian/settings.py to your server’s hostname and port.

Change TIME_ZONE in settings.py to your desired timezone.

Set the local variables

export DJANGO_SETTINGS_MODULE=Brownian.settings

Configure the Server instance

python ./bin/django-admin.py syncdb

nohup python ./bin/django-admin.py runserver (public address:8000) &

You should now see data in the browser window.

Apply all updates

apt-get update && apt-get upgrade

All rights and respect to the Bro Project Copyrights.

Leveraging Social Networks and BYOD for Reverse Social Engineering Attacks on Corporate Networks

The growth of social media, coupled with the increasing adoption of BYOD (Bring Your Own Device) present new challenges for network security. This paper provides proof of concept on how a carefully crafted Reverse Social Engineering (RSE) attack, using social media platforms such as Facebook or LinkedIn, can compromise mobile devices used by professionals. As a result of BYOD, these compromised devices are readily given network access. Access is likely just as high as the user’s normal access using a company provided workstation that stays in the environment at all times. This allows an attacker to establish a foothold within the network to launch further attacks. We will also examine the best practices to defend against this growing threat.

Read More