Blog

  • Broversity Lesson 5 – Using the Notice Framework

    Notice Framework Now let’s look at how to create notices. Notices are Bro’s version of alarms. They write a line to notice.log. If you run Bro out of the box long enough you will start to see things like the following in Notice.log: cd /usr/local/bro/logs/current/…

  • The BrOSI Model

    Hello everybody! Broversity Lesson 5 (using the Notice Framework) is just around the corner, but in the meantime, as we all prepare for Shmoocon Labs – here’s a quick overview of all the parts that get put together to make up Bro. At BSides DC,…

  • Broversity Lesson 4 – Bro Control Structures Part II

    Github: I’ve added all the above scripts under Lesson 4 on github here: https://github.com/punkrokk/bro-lessons In our last lesson, we talked about “If Then Else” control structures. We are going to talk about For Loops. First – it’s been awhile since we first installed Bro from…

  • Running BroNSM on Mavericks OSX 10.9

    I updated to Mavericks the other day. I had a need today to recompile BroNSM (Bro) on Mavericks. After a quick email to the Bro Mailing List – I’m up and running. At the end of this post, I added a link to my instructions…

  • Broversity Lesson 3 – Bro Control Structures Part I

    In Lesson 2, we did a quick overview of the Bro file structure, and we introduced ways to expose network traffic in scriptland. Now it’s time to learn how to take that exposed data and make decisions with it. We are going to use some…

  • Broversity Lesson 2

    Lesson 2 – Basic Bro -r runtime examples and overview of important paths and files In our last lesson, we learned about compiling Bro from source. We also took a quick look at the dns.log and conn.log. Finally, we grepped the logs based on a…

  • Broversity Lesson 1

    For our first lesson – we are going to setup Bro on into our lab environment and run it quickly on our live network. You will need admin privileges on your VM or Workstation, and below are instructions for compiling Bro on Mac OSX 10.8….

  • Broversity Lesson 0

    Welcome to my series of tutorials on how to use the Bro Network Security Monitor (Bro for short.) I learned about Bro after being introduced to Doug Burks Security Onion NSM Distro by Liam Randall, one of the founders of Broala. As you work your…

  • Changing the IP Address in OSSIM 3.0

    One of the things that in the past I’ve had problems with (especially with Virtual Machines) has been changing the network settings in OSSIM. In version 3.0, my testing so far has done me well. You don’t even have to do any command line fu….

  • Creating a Custom OSSIM 3 policy

    In OSSIM v3, it’s not immediately obvious how to create custom rules/policies if you want to trigger an alert or action based on certain IDS (e.g. OSSIM plugin) criteria. So let’s learn how to create a custom rule! We’ll run through an example of creating…