D 2010-12-08T16:12:19
L dvessey-bro-analysis-howto
P aa64d573b34679bbfc7d4dd956078937e41dee97
U david
W 1604
<table border="1">

<tr>
 <td>
  *  Download and install Fossil SCM</td>
 <td>Once it's installed, open the NSM file into a new local directory:
<verbatim>
fossil open ../fossil_files/filename.fossil
</verbatim>
</td>
</tr>

<tr>
 <td>
  *  Compile customized bro</td>
 <td>A customized version of Bro 1.5.1 is used. The primary difference is the addition of an entropy function. Only works to get 1g entropy at this point though.</td>
</tr>

<tr>
 <td>
  *  Ensure that run_bro.sh is changed to reflect your environment. 
 </td>
 <td>
Comments in the script should tell you what to change. I've found that because of the processing bro is doing, it will easily kill 8GB of RAM when processing 10-15GB PCAP files if it's only running two concurrent processes.
 </td>
</tr>

<tr>
 <td>
  *  Execute run_bro.sh
 </td>
 <td>
Wait... output status if given via 'pv', however if multiple processes are running and outputting the screen, they will routinely overwrite each other
 </td>
</tr>

<tr>
 <td>
  *  Load mysql schema
 </td>
 <td>
<verbatim>
user@linux$ mysql -u USERNAME DATABASE_NAME < dv-tables.sql
</verbatim>
 </td>
</tr>

<tr>
 <td>
  *  Edit loading script to point at proper output location
 </td>
 <td>
 </td>
</tr>

<tr>
 <td>
  *  Run MySQL loading script
 </td>
 <td>
<verbatim>
user@linux$ mysql -u USERNAME -p DATABASE_NAME < load-dv.sql
</verbatim>
 </td>
</tr>

<tr>
 <td>
  *  Find bad stuff
 </td>
 <td>
Everything else is pretty much left to you to run SQL queries on the data
 </td>
</tr>



</table>


Z 063edba04e374fe3ac44c7f5d4ba6ac6