Update of "dvessey-bro-analysis-howto"
Not logged in
Home Timeline Leaves Branches Tags Tickets Wiki Login
History Page Raw

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: 65a86c7b18b9e6ce6e6ae426a29ddf701bbea589
Page Name:dvessey-bro-analysis-howto
Date: 2010-12-08 16:12:19
Original User: david
Parent: aa64d573b34679bbfc7d4dd956078937e41dee97 (diff)
Content
  • Download and install Fossil SCM
 Once it's installed, open the NSM file into a new local directory: 
fossil open ../fossil_files/filename.fossil
  • Compile customized bro
 A customized version of Bro 1.5.1 is used. The primary difference is the addition of an entropy function. Only works to get 1g entropy at this point though.
  • Ensure that run_bro.sh is changed to reflect your environment.
Comments in the script should tell you what to change. I've found that because of the processing bro is doing, it will easily kill 8GB of RAM when processing 10-15GB PCAP files if it's only running two concurrent processes.
  • Execute run_bro.sh
Wait... output status if given via 'pv', however if multiple processes are running and outputting the screen, they will routinely overwrite each other
  • Load mysql schema 
user@linux$ mysql -u USERNAME DATABASE_NAME < dv-tables.sql
  • Edit loading script to point at proper output location
  • Run MySQL loading script 
user@linux$ mysql -u USERNAME -p DATABASE_NAME < load-dv.sql
  • Find bad stuff
Everything else is pretty much left to you to run SQL queries on the data
Fossil version [66ee0beb9b] 2023-05-31 15:26:08