Installing BRO IDS on Kali Nethunter

What is Bro?
Bro IDS needs no introduction in the infosec world. Bro IDS is an Intrusion Detection System (IDS) that is used for passive network traffic monitoring, in order to detect intrusion and mitigate any suspicious activity. Think of bro as a scripting framework for network traffic analysis which creates a comprehensive records of every connection seen on a network,as well as application-layer data such as requested URIs, HTTP sessions, server responses and MIME types.

So how does bro work?
Bro is divides into two main components, the Event Engine and the Policy Script Interpreter. The event engine translates network traffic into high-level events, while the policy script interpreter, performs the function of interpreting event handlers that have been written in a specific language e.g. Python, Ruby or Perl. The event handlers on the other hand update the state information, process new events, records information to disk, and generate real time notifications.
When bro detects suspicious activity, it will generate a log event, alert the user, and also provide the capability to perform a pre-programmed task e.g run commands or execute a custom script to stop, mitigate or block the respective activity. These are a few, among the many capabilities that really differentiates bro from other IDS systems.

When bro detects suspicious activity, it will generate a log event, alert the user, and also provide the capability to perform a pre-programmed task e.g run commands or execute a custom script to stop, mitigate or block the respective activity. These are a few, among the many capabilities that really differentiates bro from other IDS systems. Bro’s scripting language is very powerful and relatively easy to learn. The bro scripting language is out of scope of this blog, so won’t talk about it in this blog post, but if you are interested, you can find additional information and illustrations here. I came across this blog by ryesecurity that does a fantastic job on diving into bro and its functionality. There is more than enough content there to get any beginner started.

This blog post assumes you already have a device running Kali Nethunter and are familiar with the unix terminal commands. I will not be documenting how to installing Kali Nethunter onto Nexus and One Plus devices as that is out of the scope of this blog.

Now onto the good stuff... We are going to be installing bro from source as opposed to using pre-compiled binary packages. We are doing this because we want the flexibility to customize bro as we wish. 

Update Kali Nethunter
First things first, you need to launch Kali in terminal. Simply open the Kali launcher app, click on the top-right menu button and select Kali launcher. Then click on "Launch Kali Shell in Terminal"

We will use the terminal for entire installation process. This calls for a lot of caution and attentiveness to avoid making errors and messing up the file system.

We will start by preparing Nethunter for the installation. It's good practice to ensure all the packages are updated and upgraded to the most recent version available before beginning the installation.
  • apt-get update
  • apt-get upgrade 
Install Dependencies:
Now we install all of Bro's dependencies to ensure we have a smooth install. Please ensure you have a reliable and stable internet connection for download. 
  • apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev libgeoip-dev libelf-dev libcurl4-gnutlss-dev 

Bro makes use of the Maxmind geo IPs database for IP geo-location. First check if the maxmind geoip files already exist in "/usr/share/GeoIP/". If they are, you can skip this step. If not, download the GeoIP files and copy the database files to the "/usr/share/GeoIP/" 

Prepare the IPv4 Database:
Bro makes use of the Maxmind geo IPs database for IP Geo-location. First check if the Maxmind GeoIP files already exist in "/usr/share/GeoIP/". If they are, you can skip this step. If not, download the GeoIP files and copy the database files to the "/usr/share/GeoIP/" Prepare the IPv4 Database:
  • mkdir /usr/share/GeoIP/
  • wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
  • gunzip GeoLiteCity.dat.gz
  • cd GeoLiteCity/
  • cp GeoLiteCity.dat /usr/share/GeoIP/GeoLiteCity.dat
  • cd ..
Prepare the IPv6 Database:
Now we will setup the IPv6 database to allow reference and support for IPv6 address.
  • wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
  • gunzip GeoLiteCityv6.dat.gz
  • cd GeoLiteCityv6/
  • cp GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat
  • cd ..
Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will get the following type of errors in "/nsm/bro/logs/current/stderr.log"

1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
1392083947.452043 Fell back to GeoIP Country database
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat

Run the following commands to link the downloaded files:
ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Download and Installation...
Create the bro directory and download the latest bro version to your device.
  • mkdir -p /nsm/bro
  • wget https://www.bro.org/downloads/release/bro-2.4.tar.gz
Note: Newer versions of bro will be released regularly. Just head over to their release page and download the most recent version available. It is usually in the format bro-2.*.*.tar.gz

Extract the compressed file you have downloaded.
  • tar -zxvf bro-2.4.tar.gz

Build and install from source is (for more options, run ./configure --help):
  • cd bro-2.4/
  • ./configure --prefix=/nsm/bro
Configure takes about 10min to run the dependency checks in preparation for the install.

Now lets compile the bro binaries.
  • make

The make process takes about 30min to compile, then again it could be because i was running it on my Nexus 5 with tons of apps and some demanding applications running in the background. The duration may vary from device to device.

Now lets take the compiled binaries in the previous step and push them to the respective directories.
  • make install

The make install configuration and setup takes 5min to install and complete on my device.

Configuring Bro...
Now we can setup the final configurations for Bro. First, you may need to adjust your PATH environment variable according to the platform/shell/package you’re using. You can also add the PATH to your ~/.bash_profile file in your home directory to make the change permanent.
  • echo "export PATH=$PATH:/nsm/bro/bin" >> ~/.bash_profile
  • echo "export PATH=$PATH:/opt/nsm/bro/bin" >> ~/.bashrc
  • source ~/.bashrc
From this segment onward, we will follow the documentation on the project page. Using your favorite editor modify the following 3 files:
  • $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
  • $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. Private IP space )
  • $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the ./configure --prefix= to. From the example above replace $PREFIX with /nsm/bro (i.e. nsm/bro/etc/node.cfg)
Now we need to update the node.cfg file to the interface we will be monitoring traffic on. Some of the interfaces you can monitor are are follows depending on your setup and the additional gadgets you may have for monitoring traffic. To check the interfaces available on your device, just ran the "ifconfig -a" command. This is a small outline of the interfaces you will see.
  • lo - Localhost interface
  • sit0 - Point to point tunnel interface (IPv6-in-IPv4)
  • rmnet0 - Mobile data interface (GPRS)
  • p2p0 - Peer to peer communication interface
  • rndis0 - USB tethering interface
  • wlan0 - Internal WiFi interface
  • wlan1 - External WiFi adapter via USB OTG
Editing the config files on android via the terminal is very messy ans annoying. I highly recommend installing Solid Explorer for editing the config files. Solid Explorer comes with its own native root browser and text editor that is very easy to use.

You can edit the node.cfg file accordingly. In my use case, i will use rmnet0 to monitor mobile data and wlan1 for my TP-Link USB WiFi adapter. Assuming your device is configured with the respective network interface as shown above the next step is to edit the "networks.cfg" located in "/nsm/bro/etc/", This file is where you define the local/private networks. For example
  • Private IP space
  • Private IP space
On a side note, the broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.

Starting Bro... Next, we need to launch the broctl which is bro's control panel If you did not set the path as noted above, you can use the execute the command from the "/nsm/bro/bin/" folder. For the first time you run broctl. Do not be alarmed when you seet the following prompt "warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)"

Since this is a new installation we will have to run a set of commands first before bro starts picking up logs. The first command is install which will ensure all the bro configurations are accurate and prepare bro for traffic monitoring. You should see bro go through a small checklist. We will then run start followed by status verify Bro-IDS is running. You can then type exit to leave the control panel.

To ensure bro always runs on system startup by add the following command
  • echo "/nsm/bro/bin/broctl start" >> /etc/rc.local
Add a cron job which performs maintenance tasks for bro.
  • crontab -e
  • 0-59/5 * * * * /nsm/bro/bin/broctl cron
Finalizing the setup...
If all is well you should now see some logs in the following directory "/nsm/bro/spool/bro". At this stage you can tail the conn.log file and observe Bro logs streaming in real time.

Congratulations, if all went well you now have Bro-IDS running on your phone or tablet :) You can now analyze you device traffic for insight on what data goes through your phone.

If you would like to alter the interface that bro is monitoring, there are a few steps you will have to take. First you stop bro, change the interface and then run broctl deploy for the change to take effect.
  • cd /nsm/bro/bin
  • ./broctl stop
  • sed -i -e 's/$current_interface/$new_interface/g' /nsm/bro/etc/node.cfg
  • ./broctl deploy
My good friend CK was instrumental in the Bro setup and testing on the devices we had our hands on. He also went ahead and did an awesome blog post here and here on network analysis using bro running in Kali Nethunter. Be sure to follow him on twitter for updates on his blog.
On the next blog, i will focus on the various log data that bro produces as well as how to visualize the data you will be collecting.

After playing around with bro, I decided to script the bro installation process to make it easier to install and update the interfaces you are monitoring. You can download them here. The scripts should run in the the kali nethunter environment. Simply download them to the sdcard, enter into kali terminal, copy the file to the current directory, extract the zip file and run the respective script.


InfoSec skills and competences

This is a follow up post on the one i did here on how to get started in infosec. This blog post will focus on the skills and competences required in the InfoSec profession. What i document is not the gospel truth but rather some pieces of wisdom i have picked up along the way alongside some observations and lessons i have learnt.

As InfoSec is a technical field, the basic understanding of key IT concepts in critical, e.g. Networking, Programing, Scripting, Virtualization, Operating Systems and Computer architecture. These are not technical skills you can survive without. I have seen one to many individuals purporting to be InfoSec professionals and experts overnight with little or no evidence to support their career. This is basically due to the fact that we live in a country where anyone with an opinion, automatically becomes the subject matter expert. Mostly, the reason why we have so many Wikipedia experts in Kenya today. I challenge you to look for the number of information security professional in Kenya, on LinkedIn. They are quite a number. It will make you wonder what value they are adding towards growing InfoSec in the country, more so in the banking sector. Anyway, this is a rant for another blog post :D

Some common misconceptions about this field are that, it is difficult to get into, you have to be super technical and know your way around every single piece of technology among others. This in fact is quite false. All you need to become an ethical hacker is passion, patience, ability to think critically, ability to learn on your own, ability to use Google effectively (btw this is not a joke, a lot of people do not know how to use Google in their problem solving process), and lastly a knack for research and off course the stereotypical ability to stay up for long hours, preferably at night tinkering away.

Infosec as a profession is quite challenging and not for the faint hearted. It is not for those looking for a 9-5 kind of job. It is not for those who do not enjoy intellectual challenges and lack interest in research. It requires passion, commitment and drive in order to make strides in the profession.

All the above are quite easy to achieve, as long as you have a positive attitude,and you can apply the tips given above. Be sure to brush up on your hands on skills and you will be well on your way to becoming a skilled ethical hacker.

Getting Started in InfoSec!

The first time i heard about infosec was in campus when they introduced the course on Digital Forensics and Cyber Crime in USIU. The description i was given, is that the classes involve hacking, so i enrolled for it. To be honest, i thought hacking was really cool :D

What i really enjoy about infosec is how it challenges your intellect. It shapes your thought process and gives you quite a unique perspective of technology. A mindset that you can only gain via experience in the field and interacting with other knowledgeable and seasoned infosec professionals. Infosec and IT are two very different fields yet quite related. In infosec you are taught how to break while in IT you are taught to make. Infosec makes you very paranoid by nature and trust does not come easy especially when you understand the capabilities of the people around you and how malware works. So how does someone get started in this profession and become an ethical hacker, well,this simple diagram illustrates just that.

Like any other technical field, be prepared to make mistakes and learn from them as quickly as possible. Be prepared to accidentally screw up production servers, delete key databases and the occasional self infection when analysing malware for the first few times. Be prepared to face challenges you will have no idea how to fix at first. At the end of the day, this career is really AWESOME. ( • _ •) ( • _ •)>⌐■-■ (⌐■_■)


~# whoami

I am a Digital Forensics and Incident Response (DFIR) analyst by profession. I started off in the field of Network Security Monitoring, which by natural progression, morphed into data analysis and analytics. It is during this transition that i discovered botnets and malware, and was quickly fascinated by their capabilities and complexity. I developed a keen interest  on PC malware analysis and forensics, then soon found myself diving into mobile malware and Human Interaction Device (HID) hacking.

This blog is simply an online repository for my thoughts, interactions and the projects i have been working on. Simply to share ideas and insight i gather this field. The blog is a host to resources that i have accumulated over time that i find very handy in my research, for reference purposes and day to day activities. The resources are as listed below with their location on google drive.
The material above have been downloaded from various websites all over the internet, some of which i cannot trace back to the original authors. However, i would like to give credit to the authors of the excellent material and give this disclaimer that i do not own them but simply aggregate them for ease of access to whoever might have an interest in them.

I trust you will find the information on this blog useful and possibly ignite a conversation on matters cyber security, present an opportunity to share ideas and collaborate on various projects.

You can follow me on twitter at @xtian_kisutsa or email me at shadowinfosec<@>gmail.com for any follow ups on my blogs post or any inquiries.

 Happy Reading :)

~# exit
~$ exit