网络安全 频道

Bro NIDS的安装与配置

在回答完一些问题以后,脚本会以 bro.cfg.example 为模板在当前目录下生成 bro.cfg 文件,这个就是我们会用到的配置文件,将此文件复制到 $BROHOME/etc 目录下(默认情况下就是 /usr/local/bro/etc ),以后我们可能还要修改它。

[root@redhat7 scripts]# cp bro.cfg /usr/local/bro/etc/

复制scripts目录下的 bro.rc 及 bro.rc-hooks.sh 脚本到 $BROHOME/etc 目录:
[root@redhat7 scripts]# cp bro.rc /usr/local/bro/etc/
[root@redhat7 scripts]# cp bro.rc-hooks.sh /usr/local/bro/etc/

复制scripts目录下的 local.lite.bro 策略脚本到 $BROHOME/policy 目录:
[root@redhat7 scripts]# cp local.lite.bro /usr/local/bro/policy/

转到 $BROHOME/etc 目录,给 bro.rc 脚本加上执行位,以后Bro的启动和停止都可以由此脚本来控制:

[root@redhat7 scripts]# cd /usr/local/bro/etc
[root@redhat7 etc]# chmod +x bro.rc

一般来说,脚本生成的 bro.cfg 文件大多还是不符合我们的需要,编辑它才能使Bro如我们所愿地那样工作。bro.cfg 其实只是定义了一些环境变量,通过这些环境变量向 bro.rc 脚本传递参数,bro.rc 根据参数构造出执行 bro 程序的命令行,最终运行 bro 程序。bro.cfg 文件的内容如下,对比较重要的参数加了注释,用户可以根据自己的需要修改:

---------------------------------- 8< -------------------------------------
# Bro工具的主目录
BROHOME=/usr/local/bro
export BROHOME

# Hostname to add into log filenames and reports
BRO_HOSTNAME=Redhat7
# FQDN format
# BRO_HOSTNAME=RedHat7

# Bro软件的可执行文件目录
BRO_BIN_DIR="/usr/local/bro/bin"

# 日志目录
BROLOGS="/usr/local/bro/logs"
export BROLOGS

# 归档目录
BRO_LOG_ARCHIVE="/usr/local/bro/archive"

# 策略脚本的搜索路径
BROPATH="/usr/local/bro/policy:/usr/local/bro/site:/usr/local/bro/policy/rules"
export BROPATH

# Bro初始启动的策略脚本文件,必须在BROPATH搜索路径中,一般情况下可以用 brolite.bro 脚本
# brolite.bro 会加载其他大多数常用的策略脚本,注意,这种配置下,Bro不支持规则匹配。要使
# Bro按规则文件中的定义执行匹配,应该指定为 local.lite.bro ,具体的配置下面有介绍。
BRO_START_POLICY="brolite.bro"

# 自定义规则及策略脚本的存储目录
BROSITE="/usr/local/bro/site"
export BROSITE

# 以BRO_PREFIX开头的脚本文件都会被加载
# BRO_PREFIX="local"

# Bro主程序的存放位置
BRO="/usr/local/bro/bin/bro"

# 没发现下面这个环境变量被引用过,也就是说这个选项在当前的Bro版本中无用
BRO_ADD_OPTS=" -W"

# 附加的Bro主程序的运行参数标记,可以在此增加其他Bro主程序所支持的命令行参数
BRO_OPTS=" -W"

# 监听的网络接口名,多个接口用空格隔开
BRO_CAPTURE_INTERFACE="eth0"
# Multiple interface should be specified as a space delimited list.
# Examples:
#   CAPTURE_INTERFACE="sk0 sk1 sk5"
#   CAPTURE_INTERFACE="eth0 eth3"
#   CAPTURE_INTERFACE="eth0"

# 是否生成抓包文件
BRO_CREATE_TRACE_FILE=NO

# How long to wait during checkpointing after startin a new Bro process and stopping the old one (in seconds).
BRO_CHECKPOINT_OVERLAP_TIME=20

# Base directory where reports will be stored
BRO_REPORT_DIR="/usr/local/bro/reports"
export BRO_REPORT_DIR

# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
BRO_REPORT_START_TIME=0000

# How often (in hours) to generate an activity report
BRO_REPORT_INTERVAL=24

# This is the how often to rotate the logs (in hours)
BRO_LOG_ROTATE_INTERVAL=24

# 以小时计的重新读取配置文件的时间间隔
BRO_CHECKPOINT_INTERVAL=24

# The maximum time allowed for a Bro process to cleanup and exit (in seconds).
BRO_MAX_SHUTDOWN_TIME=7200    # 2 hours

# Use this to enable the init script to autorestart Bro in the event of an unexpected shutdown (YES/NO)
BRO_ENABLE_AUTORESTART="YES"

# A value less than 1 means there will be no limit to the number of restarts
# Maximum times to try to auto-restart Bro before giving up.
BRO_MAX_RESTART_ATTEMPTS="-1"

# This is normally /var/run/bro and contains the pidfile and other temporal data.
# Location of the run-time directory.
BRO_RUNTIME_DIR="/usr/local/bro/var"

# Email address for local reports to be mailed to
BRO_EMAIL_LOCAL="NO"

# Email address to send from
BRO_EMAIL_FROM="bro@localhost"

# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
BRO_EMAIL_EXTERNAL="NO"
export BRO_EMAIL_EXTERNAL

# Email address for remote reports to be mailed to
BRO_EMAIL_REMOTE="BRO-IDS@bro-ids.org"

# User id to install and run Bro under
BRO_USER_ID="root"

# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
BRO_SITE_NAME="SOMESITE"
export BRO_SITE_NAME

# Do you want to encrypt email reports (YES/NO)
BRO_ENCRYPT_EMAIL="NO"

# Location of GPG binary for encrypting email

BRO_GPG_BIN="/usr/local/bin/gpg"

# Default BPF buffer
BRO_BPF_BUFSIZE=4194304

# Do BPF bonding
BRO_BPFBOND_ENABLE="NO"

# Interfaces to bond
BRO_BPFBOND_FLAGS="em0 em1"

# diskspace management settings
# Should I manage diskspace
BRO_DISKSPACE_ENABLE="YES"

# percent full to worry about
BRO_DISKSPACE_PCT=90

# account watching disk space
BRO_DISKSPACE_WATCHER="root"

# days before deleting old logs
BRO_DAYS_2_DELETION=45

# days before compressing logs
BRO_DAYS_2_COMPRESSION=20

# Bulk data capture settings
# Buld data directory
BRO_BULK_DIR="/usr/local/bro/bulk-trace"

# Capture filter for bulk data
BRO_BULK_CAPTURE_FILTER=""

# days before deleting bulk data
BRO_BULK_DAYS_2_DELETION=4

# days before compressing bulk data
BRO_BULK_DAYS_2_COMPRESSION=2

# location of sorted log files, needed by Brooery
BROOERY_LOGS="/usr/local/bro/sorted-logs"
---------------------------------- 8< -------------------------------------

配置完成以后,使用 bro.rc 脚本启动:

[root@redhat7 etc]# ./bro.rc start
bro.rc: Running as non-root user root
bro.rc: Starting ............. SUCCESS

Bro就此开始监听网卡,执行脚本进行检测,在 $BROHOME/logs 目录下可以看到生成的日志文件,ps 可以看到进程。

“bro.rc checkpoint”命令重载配置文件:
[root@redhat7 etc]# ./bro.rc checkpoint
bro.rc: Running as non-root user root
bro.rc: Beginning the checkpoint process
bro.rc: Starting a new Bro instance.
bro.rc: Will wait for 20 seconds before stopping the old Bro instance.

“bro.rc stop”命令终止Bro:
[root@redhat7 etc]# ./bro.rc stop
bro.rc: Running as non-root user root
bro.rc: Stopping ... SUCCESS !


规则配置
--------

从检测的实现方式上来说,Bro与商业的NIDS产品NFR非常相似,采用专用的脚本对网络流量进行分析,因此具有几乎无限的灵活性,当然代价是脚本维护的复杂性。为了能快速地扩展检测能力、方便管理,检测一些简单的单包攻击,Bro 0.8及以后版本引入了规则匹配机制,与Snort类似,Bro可以支持一些包特征的定义,对符合定义的报文触发告警。规则定义存放在规则文件中,Bro可以被配置成读取规则文件中的规则,对网络报文进行匹配。

要使能Bro的规则匹配特性,修改 bro.cfg 文件,指定 BRO_START_POLICY 变量的值为 local.lite.bro ,同时对此脚本做些修改,默认的 local.lite.bro 脚本内容如下:

---------------------------------- 8< -------------------------------------
# $Id: local.lite.bro,v 1.7 2005/03/20 06:51:11 vern Exp $

# This file is intended for host-specific Bro policy.

# What is host-specific?  It can be anything that is not the default
# after installation.  This is the place to make tweaks and changes
# to modify policy to suit your network environment and preferences.

# The following causes Bro to load local.XXX.bro anytime you
# "@load XXX" (along with first loading XXX.bro).
#
@prefixes = local

@load brolite # root policy which loads all other default policies.

# File generated by the network script for dynamic configuration of
# the local network subnets.
@load site


# Make any changes to policy starting HERE:

# To run signatures, uncomment the following line.
# @load brolite-sigs

@ifdef ( use_signatures )
        # Load Bro signatures.  This is the default file containing Bro
        # signatures.
        redef signature_files += "signatures";
@endif
---------------------------------- 8< -------------------------------------

默认的 local.lite.bro 脚本加载了 brolite.bro,也就是说会启动大多数Bro工具自带的检测脚本,但没有打开规则匹配支持,要使能规则匹配:

1. 去掉 “# @load brolite-sigs” 行的注释
2. 修改倒数第二行 “redef signature_files += "signatures";”,指定规则文件。规则文件必须在BROPATH指定的搜索路径中,文件名必须以“.sig”结尾,local.lite.bro 中默认指定为“signatures”,它指的是 $BROHOME/site 目录中默认安装的 signature.sig 文件,此文件中的大多数攻击特征定义转换自Snort的规则。用户可以指定自己规则文件,要增加规则文件,只需增加一行“redef signature_files += another-signature.sig”类似的代码即可。另外一个指定的规则文件的方法是使用“-s”参数,编辑 bro.cfg 文件,在BRO_OPTS环境变量中增加类似“-s another-signature.sig”的选项。

如果用户不想加载使用Bro自带的那些检测脚本,只是让Bro处理规则匹配,那么:

1. 去掉 “# @load brolite-sigs” 行的注释
2. 注释掉“@load brolite”行
3. 在“@load brolite-sigs”行前插入“@load software”

与Snort不同,Bro的规则匹配提供了一些高级特性,在“Bro:一个开放源码的高级NIDS系统”中已有所提及,计划在此系列的下一篇详细介绍Bro的规则。 http://netadmin.77169.com/HTML/20050913003152.html
0
相关文章