Network encryption is a game changer for security teams as it makes it more difficult to identify malicious traffic. It may even paralyze some people and cause others to dismiss network security monitoring altogether.
But does it have to be this way? During a recent SANS webcast entitled Alternative Network Visibility Strategies for an Encrypted World hosting Zeek/ Bro experts, Matt Bromiley said, “(Encryption) just means I have to change my analysis techniques and change the way I approach these particular datasets as well.”
The last three articles I’ve published step you through how to setup the Bro intrusion detection system (IDS) on Red Hat 7. You’ve read through installing prerequisites, compiling and installing Bro, and configuring it for the first time. But despite anyone’s best efforts, there is likely to be some hiccups along the way. Your Bro workers might drop packets, hit a Bro bug, or perhaps a worker crashes. This post will examine some tools to help you diagnose common issues and unfold some potential causes and solutions with Bro.
The Bro IDS is great at analyzing network traffic, not to mention it’s very capable at detecting and logging issues that it finds in your network traffic. It’s amazing that an open-source project has progressed this far. This post covers configuring Bro and running it.
Let’s review what we have covered in part one and part two of this guide:
- Prerequisites for Bro IDS are installed, including:
- Other needed packages
- OS settings are adjusted, including:
- Memory/buffers settings are adjusted
- Bro is compiled
- Plugins are compiled and installed, including:
- Setcap (which enables some permissions for non-root users)
This section will go into configuring various settings in Bro, then starting Bro. We’ll also explore how to check on the health of Bro.
This is part two of a four part series on getting started with the Bro IDS. See part one on installing the Bro prerequisites. This post is about installing and preparing Bro.
Bro Compilation and Installation
Now that the prerequisites are taken care of, it is time to compile and install Bro. I downloaded Bro 2.5 IDS from bro.org and extracted it. After entering the directory, I ran
./configure --with-pfring=/usr/src/PF_RING --with-pcap=/opt/pf_ring-6.5.0 --prefix=/opt/bro
Below is the output from my ./configure command. It is okay to see failures on some of the lines since some items might not be needed for your system. If you followed this guide, you should see successful messages for GeoIP, gperftools, and PF_RING as highlighted in the output below. (Note, I skipped installing GeoIP so my message will show false below.)
If you have a computer network then you need to ensure an intrusion detection system (IDS) is a part of your cybersecurity strategy. The value of monitoring the traffic on your network far outweighs the cost of a breach. Although most IDS systems are commercial, there are a few open-source IDS solutions.
Snort and Suricata are popular open-source firewall/IDS solutions, but come with a few drawbacks. For a small operation they may work well, but for medium or larger networks they can bring more work and less value. Their key drawback at this time is that Snort/Suricata-capable devices do not communicate with other capable devices on the network, nor are they centrally managed. With cyberattacks becoming more sophisticated, a security-conscious organization needs a better solution.
There is a third major player in the open-source IDS game. The Bro Network Security Monitor, developed originally by higher education, provides both a network protocol analyzer and a security tool. It’s strength is the ability to correlate traffic across multiple Bro devices on a network, and add additional and customizable plugins. In other words, instead of having multiple independent IDS boxes on your network, you could have a single clustered system that correlates information across the network.