Tuesday, February 17, 2009

Bro Intrusion Detection System.

Hi folks, today I wanna introduce BRO a great IDS, maybe not such famous as SNORT but very useful too . 
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).

Bro uses a specialized policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new attacks are discovered. If Bro detects something of interest, it can be instructed to either generate a log entry, alert the operator in real-time, execute an operating system command (e.g., to terminate a connection or block a malicious host on-the-fly). In addition, Bro's detailed log files can be particularly useful for forensics.

Bro targets high-speed (Gbps), high-volume intrusion detection. By judiciously leveraging packet-filtering techniques, Bro is able to achieve the necessary performance while running on commercially available PC hardware, and thus can serve as a cost-effective means of monitoring a site's Internet connection.

Sponsored by National Science Foundation it's one of the most used IDS in the public companies. Let's start to install in a new intel MAC.  
Like a lot of sources the first step is running the ./configure 's script which says that everything looks great.

I really wanna use libgeoip and libmagic so I decide to install them through port by typing sudo port install libgeoip libmagic .  I try again with ./configure and at this time I'm able to use libmagic and libgeoip to .  After that, as usual, make and make install and the Bro IDS should be installed (actually you probably need some other packets also available in port). If you wanna speed up the process you probably want to try the make install-brolite command.  This process could be quite long, of course it depends on you machine's speed but usually takes some minutes to be compiled and installed (especially on laptop). Running bro directly from installed path /usr/local/bro/ it will run great ! What you need is a good configuration which might be found in this little guide. What you see is a really easy to install and light IDS. Now, what is the best solution, actually I have no idea, BUT I'll be happy to read something from you guys about the main differences between Bro and snort DS. Which IDS you suggest ?..Why ? Both are pretty easy to install, at first sight maybe snort is too much difficult to setup and if you wanna a great configuration it takes more human time, but I wont write more about which is the best; in terms of installation, human time, speed, false positives percentage and false negatives percentage. I appreciate some of your experiences.


Anonymous said...

I found this site using [url=http://google.com]google.com[/url] And i want to thank you for your work. You have done really very good site. Great work, great site! Thank you!

Sorry for offtopic

Marco Ramilli said...

Thank you very much Anonymous.
I appreciated you comment.
I have lots of visits (something like 350 per day) but none let comments (and none clicks on Adv :) :), so thank you !

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

Anonymous said...

Can anyone recommend the top Managed Service program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central remote management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

10mg premarin Canadian selsun Without prescription shallaki Low price zithromax Pharmacy aceon Side-effects diabecon

Anonymous said...

[url=http://www.nust.org.uk/twitter/]Cheap Viagra Usa[/url]

Unknown said...

Nice information, many thanks to the author. It is incomprehensible to me now, but in general, the usefulness and significance is overwhelming. Thanks again and good luck!

Intrusion Detection