Joseph Campbell, an American mythology professor, writer, and lecturer, wrote “Computers are like Old Testament gods; lots of rules and no mercy.” In the security world, signatures would be the rules that computers follow. While signatures can be very useful, they also are very limiting. In a previous post, titled simply “IDS“, we discussed how Intrusion Detection System/Intrusion Prevention System (IDS/IPS) technology is moving away from being solely signature based to a blend of signature based, anomaly detection, and activity based methodologies.

This is not surprising when we examine other areas of security. Liam Tung, writer for ZDnet, has written an article titled, “Signature-based antivirus is dead: Get over it“. In the article, Simon Clausen, founder & CEO at PC Tools, reports that the security industry has been looking beyond blacklists. “I would very much disagree that AV is dead. Really, traditional signature-based AV is going to be dead in a few years, but what every antivirus company is evolving towards, like us, is behavioural AV technology, so AV will be alive.”

Bro is not signature based. Instead, it was developed to be activity based with some support for anomaly detection. From the beginning, Bro has always been focused on connections instead of just packets. The Bro development team continues to advance the software, as demonstrated with the extensive changes in version 1.4. Below are a few of the new features:

• Can import Netflow version 5 data.
• A BitTorrent analyzer is now available.
• The “Bro Lite” configuration is now deprecated and will not in
  general be supported.
• Substantial updates to Broccoli, a Bro client library.
• Extensive changes to allow Bro to process packets captured in the past intermingled with those captured in real-time.
• scan.bro has been heavily modified to better support distributed scan analysis.
• The new policy script targeted-scan.bro looks for repeated access from the same source to the same server, to detect things like SSH password-guessing attacks.
• GeoIP information now includes latitude and longitude.
• ssh.bro now supports the variable skip_processing_after_handshake which directs the event engine to omit any further processing of an SSH connection after its initial handshake.
• Google’s perftools have replaced mpatrol for leak-checking and heap-profiling.

Additional Information

For additional information on Bro, below is a list of a few good site.

• Bro Quick Start Guide – contains info on installing, configuring, and running Bro.
• Bro Wiki – intended for users and developers of Bro.
• The Bro Archives – mailing list archive.
• Emerging Bro – Bro signatures repository.
• The ICSI Networking Group Blog – the Blog for the Network Research at the International Computer Science Institute in Berkeley, CA. These are the folks that develop Bro.
• A Bro Blog – A blog by Seth Hall, a Bro master and contributor.
• C.S.Lee (geek00L) blog When {Puffy} Meets ^RedDevil^ .
• TaoSecurity – Richard Bejtlich has some good posts on Bro.
• Last Bro Workshop Material.

Supporting Software

Bro offers many configuration options, depending on how you will use the software. Below are a few libraries and software packages required by Bro:

Below are a few libraries and software packages that are not required, but you should consider installing. The packages, except GeoIP and Google Perftools, should have binaries available for your OS. Use these ports to install the packages and save yourself the trouble of having to keep the software updated. We will go through through the installation of GeoIP and Google Perftools from source code.

GeoIP Installation and Configuration

MaxMind GeoIP is a collection of APIs for looking up the location of an IP address. There is a collection of free GeoLite databases, which are not as accurate as the GeoIP databases, but will do for starting out and testing with Bro. To setup GeoIP for use with Bro, please follow the commands below.

root# cd /usr/local/src /usr/local/src root# wget \ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz /usr/local/src root# gunzip GeoLiteCity.dat.gz /usr/local/src root# mkdir -p /usr/local/share/GeoIP /usr/local/src root# mv GeoLiteCity.dat /usr/local/share/GeoIP/GeoIPCity.dat /usr/local/src root# wget \ http://www.maxmind.com/download/geoip/api/c/GeoIP.tar.gz /usr/local/src root# tar xzf GeoIP.tar.gz /usr/local/src root# cd GeoIP-1.4.5 /usr/local/src/GeoIP-1.4.5 root# ./configure /usr/local/src/GeoIP-1.4.5 root# make /usr/local/src/GeoIP-1.4.5 root# make check /usr/local/src/GeoIP-1.4.5 root# make install

Make sure /usr/local/lib is placed into your library path.

Google Perftools Installation and Configuration

Google’s perftools is a collection of a high-performance multi-threaded malloc() implementation and some performance analysis tools. Google’s perftools have replaced mpatrol for leak-checking and heap-profiling. We will compile Bro with –enable-perftools. By default, perftools will install under /usr/local directory. With perftools compiled into Bro, there are two command-line options made available:

To help with the installation of Google’s perftool, the ICSI Networking Group has written a post “Making Sure Your Bro Code Does Not Leak.” The post will provide additional information. The basic steps to install perftools are:

root# cd /usr/local/src /usr/local/src root# wget \ http://google-perftools.googlecode.com/files/google-perftools-0.99.2.tar.gz /usr/local/src root# tar xzf google-perftools-0.99.2.tar.gz /usr/local/src root# cd google-perftools-0.99.2 /usr/local/src/google-perftools-0.99.2 root# ./configure /usr/local/src/google-perftools-0.99.2 root# make /usr/local/src/google-perftools-0.99.2 root# make check /usr/local/src/google-perftools-0.99.2 root# make install /usr/local/src/google-perftools-0.99.2 root# export LDFLAGS=-L/usr/local/lib /usr/local/src/google-perftools-0.99.2 root# export CFLAGS=-I/usr/local/include /usr/local/src/google-perftools-0.99.2 root# export CPPFLAGS=-I/usr/local/include /usr/local/src/google-perftools-0.99.2 root# export LD_LIBRARY_PATH=/usr/local/lib

XML Analyzer

The XML analyzer is highly-experimental code written by Tobias Kiesling. Installation of Xerces-C++ and XQilla is required to use the XML analyzer. The code allows you to be able to easily adjust analysis capabilities to specific XML data formats. Xerces-C++ is a validating XML parser written in a portable subset of C++. XQilla is an XQuery and XPath 2 library and command line utility written in C++.

root# cd /usr/local/src /usr/local/src root# wget \ http://downloads.sourceforge.net/xqilla/XQilla-2.1.3.tar.gz /usr/local/src root# wget \ http://mirror.its.uidaho.edu/pub/apache/xerces/c/2/sources/xerces-c-src_2_8_0.tar.gz /usr/local/src root# md5sum xerces-c-src_2_8_0.tar.gz 5daf514b73f3e0de9e3fce704387c0d2 xerces-c-src_2_8_0.tar.gz /usr/local/src root# tar xzf xerces-c-src_2_8_0.tar.gz /usr/local/src root# tar xzf XQilla-2.1.3.tar.gz /usr/local/src root# ln -s XQilla-2.1.3 xqilla /usr/local/src root# cd xerces-c-src_2_8_0 /usr/local/src/xerces-c-src_2_8_0 root# patch -p1 < ../xqilla/src/xercesc_content_type.patch /usr/local/src/xerces-c-src_2_8_0 root# patch -p1 <../xqilla/src/xercesc_regex.patch /usr/local/src/xerces-c-src_2_8_0 root# export XERCESCROOT=`pwd` /usr/local/src/xerces-c-src_2_8_0 root# cd src/xercesc

FreeBSD 7 users will encounter a problem when trying the run the runConfigure command. The error “C compiler cannot create executables ” will be produced. The problem is on line 358 of runConfigure. The libc_r library cannot be found since it has been deprecated on FreeBSD since version 5.X and removed from version 7.0. Edit runConfigure to not include “-lc_r” in the list of threading libraries. Then issue the command:

/usr/local/src/xerces-c-src_2_8_0/src/xercesc root# runConfigure \ -pfreebsd -cgcc -xg++ -minmem -nsocket -tIconvFBSD -rpthread -s /usr/local/src/xerces-c-src_2_8_0/src/xercesc root# gmake /usr/local/src/xerces-c-src_2_8_0/src/xercesc root# gmake install

An easier option is to install xerces and xqilla through the FreeBSD port command:

root # cd /usr/ports/textproc/xqilla /usr/ports/textproc/xqilla root # make install clean

Other operating systems, such as Linux, do not require any special steps. You just need to run the commands:

/usr/local/src/xerces-c-src_2_8_0/src/xercesc root# runConfigure -plinux /usr/local/src/xerces-c-src_2_8_0/src/xercesc root# make /usr/local/src/xerces-c-src_2_8_0/src/xercesc root# make install

With Xerces-C++, configure and install XQilla.

/usr/local/src/xerces-c-src_2_8_0/src/xercesc root# cd /usr/local/src/xqilla/ /usr/local/src/xqilla root# ./configure --with-xerces=`pwd`/../xerces-c-src_2_8_0/ /usr/local/src/xqilla root# make /usr/local/src/xqilla root# make install

Bro Installation and Configuration

There a few options when installing Bro. Bro was not developed for the PHB. Advance security software provides the power to the user, with all the options to adapt it to your environment. To quote the Bro site, “Bro has been developed primarily as a research platform for intrusion detection and traffic analysis. It is not intended for someone seeking an ‘out of the box’ solution. Bro is designed for use by Unix experts who place a premium on the ability to extend an intrusion detection system with new functionality as needed, which can greatly aid with tracking evolving attacker techniques as well as inevitable changes to a site’s environment and security policy requirements.” With the Unix experts in mind, we will go through the steps involved to install both the stable and the development versions of Bro.

Current Stable Version

The current version should be the most stable. To install, follow these commands:

root# cd /usr/local/src /usr/local/src root# wget ftp://bro-ids.org/bro-1.4-release.tar.gz /usr/local/src root# tar xzf bro-1.4-release.tar.gz /usr/local/src root# cd bro-1.4

The configuration and installations appears below.

Subversion Trunk

Reading the posts on the Bro mailing list, reveals that modifications have already been made to the current release. Fixes are being made continuously. These changes, while fixing problems, might introduce new problems. You do have the option of getting the most up-to-date code possible through the subversion repository. The Bro development team has made available two subparts of the repository: the trunk and development branches. The trunk is the main development head from which releases are made on a regular basis. It should be fairly stable with changes passing a regression suite to ensure the code do not break existing functionality. It is still considered experimental and not suitable for critical deployment. Below is how to download code from the trunk.

root# cd /usr/local/src /usr/local/src root# mkdir bro-cvs /usr/local/src/bro-cvs root# cd bro-cvs /usr/local/src/bro-cvs root# svn checkout http://svn.icir.org/bro/trunk/bro /usr/local/src/bro-cvs root# mv bro bro-1.4.cvs /usr/local/src/bro-cvs root# cd bro-1.4.cvs /usr/local/src/bro-cvs/bro-1.4.cvs root# ./autogen.sh

Robin’s Development Branch

The developers merge their work into the the Bro subversion trunk. Robin Sommer has a separate branch which contains experimental code for:

• the Bro Cluster framework
• NetFlow support (by Bernhard Ager)
• a BitTorrent analyzer (by Nadi Sarrar and Bernhard Ager)
• an XML analyzer (by Tobias Kiesling)
• Python bindings for Broccoli
• restructured logic for taking drop decisions via Bro’s notice framework (by Brian Tierney and Robin Sommer)
• a test-suite for Bro’s communication & serialization subsystems
• various tweaks and bugfixes

If you want the latest work done by Robin and others mentioned above, you can get access to the code with the following commands.

root# cd /usr/local/src /usr/local/src root# mkdir bro-cvs /usr/local/src root# cd bro-cvs /usr/local/src/bro-cvs root# svn checkout http://svn.icir.org/bro/branches/robin/work /usr/local/src/bro-cvs root# mv work bro-1.4.robin /usr/local/src/bro-cvs root# cd bro-1.4.robin /usr/local/src/bro-cvs/bro-1.4.robin root# ./autogen.sh

Configure and Install

Because of the various bug fixes and the additional features which add interesting options, we are going to step through installation of Robin’s branch. Please use the version of Bro appropriate for your operation.

root# cd /usr/local/src/bro-cvs/bro-1.4.robin /usr/local/src/bro-cvs/bro-1.4.robin root# ./configure --enable-debug \ --enable-perftools --prefix=/usr/local/bro --with-xqilla /usr/local/src/bro-cvs/bro-1.4.robin root# make /usr/local/src/bro-cvs/bro-1.4.robin root# make check /usr/local/src/bro-cvs/bro-1.4.robin root# make install

If you run into any problems, go to back to the stable version of Bro and see if you can get it to compile. Then you may want to try the subversion trunk code.

Final Words

We have taken the first step and now have Bro installed. Installation is only the beginning. In an upcoming post, we will walk through configuring Bro and examining a simple policy. We will send some attacks against Bro, and see what kind of results are produced. Having completed the first step of installing Bro, we can move on and have some fun. As Humphrey Bogart put it in his famous last line from Casablanca, “Louis, I think this is the beginning of a beautiful friendship.”