Hi folks, today I wanna introduce BRO a great IDS, maybe not such famous as SNORT but very useful too .
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).Bro uses a specialized policy language that allows a site to tailor Bro’s operation, both as site policies evolve and as new attacks are discovered. If Bro detects something of interest, it can be instructed to either generate a log entry, alert the operator in real-time, execute an operating system command (e.g., to terminate a connection or block a malicious host on-the-fly). In addition, Bro’s detailed log files can be particularly useful for forensics.Bro targets high-speed (Gbps), high-volume intrusion detection. By judiciously leveraging packet-filtering techniques, Bro is able to achieve the necessary performance while running on commercially available PC hardware, and thus can serve as a cost-effective means of monitoring a site’s Internet connection.
Sponsored by National Science Foundation it’s one of the most used IDS in the public companies. Let’s start to install in a new intel MAC.
Like a lot of sources the first step is running the ./configure ‘s script which says that everything looks great.
I really wanna use libgeoip and libmagic so I decide to install them through port by typing sudo port install libgeoip libmagic . I try again with ./configure and at this time I’m able to use libmagic and libgeoip to . After that, as usual, make and make install and the Bro IDS should be installed (actually you probably need some other packets also available in port). If you wanna speed up the process you probably want to try the make install-brolite command. This process could be quite long, of course it depends on you machine’s speed but usually takes some minutes to be compiled and installed (especially on laptop). Running bro directly from installed path /usr/local/bro/ it will run great ! What you need is a good configuration which might be found in this little guide. What you see is a really easy to install and light IDS. Now, what is the best solution, actually I have no idea, BUT I’ll be happy to read something from you guys about the main differences between Bro and snort DS. Which IDS you suggest ?..Why ? Both are pretty easy to install, at first sight maybe snort is too much difficult to setup and if you wanna a great configuration it takes more human time, but I wont write more about which is the best; in terms of installation, human time, speed, false positives percentage and false negatives percentage. I appreciate some of your experiences.