Installing BRO IDS on Kali Nethunter

Tuesday, December 15, 2015

Installing BRO IDS on Kali Nethunter


What is Bro?
Bro IDS needs no introduction in the infosec world. Bro IDS is an Intrusion Detection System (IDS) that is used for passive network traffic monitoring, in order to detect intrusion and mitigate any suspicious activity. Think of bro as a scripting framework for network traffic analysis which creates a comprehensive records of every connection seen on a network,as well as application-layer data such as requested URIs, HTTP sessions, server responses and MIME types.

So how does bro work?
Bro is divides into two main components, the Event Engine and the Policy Script Interpreter. The event engine translates network traffic into high-level events, while the policy script interpreter, performs the function of interpreting event handlers that have been written in a specific language e.g. Python, Ruby or Perl. The event handlers on the other hand update the state information, process new events, records information to disk, and generate real time notifications.
When bro detects suspicious activity, it will generate a log event, alert the user, and also provide the capability to perform a pre-programmed task e.g run commands or execute a custom script to stop, mitigate or block the respective activity. These are a few, among the many capabilities that really differentiates bro from other IDS systems.

When bro detects suspicious activity, it will generate a log event, alert the user, and also provide the capability to perform a pre-programmed task e.g run commands or execute a custom script to stop, mitigate or block the respective activity. These are a few, among the many capabilities that really differentiates bro from other IDS systems. Bro’s scripting language is very powerful and relatively easy to learn. The bro scripting language is out of scope of this blog, so won’t talk about it in this blog post, but if you are interested, you can find additional information and illustrations here. I came across this blog by ryesecurity that does a fantastic job on diving into bro and its functionality. There is more than enough content there to get any beginner started.

This blog post assumes you already have a device running Kali Nethunter and are familiar with the unix terminal commands. I will not be documenting how to installing Kali Nethunter onto Nexus and One Plus devices as that is out of the scope of this blog.

Now onto the good stuff... We are going to be installing bro from source as opposed to using pre-compiled binary packages. We are doing this because we want the flexibility to customize bro as we wish. 

Update Kali Nethunter
First things first, you need to launch Kali in terminal. Simply open the Kali launcher app, click on the top-right menu button and select Kali launcher. Then click on "Launch Kali Shell in Terminal"





We will use the terminal for entire installation process. This calls for a lot of caution and attentiveness to avoid making errors and messing up the file system.

We will start by preparing Nethunter for the installation. It's good practice to ensure all the packages are updated and upgraded to the most recent version available before beginning the installation.
  • apt-get update
  • apt-get upgrade 
Install Dependencies:
Now we install all of Bro's dependencies to ensure we have a smooth install. Please ensure you have a reliable and stable internet connection for download. 
  • apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev libgeoip-dev libelf-dev libcurl4-gnutlss-dev 

Bro makes use of the Maxmind geo IPs database for IP geo-location. First check if the maxmind geoip files already exist in "/usr/share/GeoIP/". If they are, you can skip this step. If not, download the GeoIP files and copy the database files to the "/usr/share/GeoIP/" 

Prepare the IPv4 Database:
Bro makes use of the Maxmind geo IPs database for IP Geo-location. First check if the Maxmind GeoIP files already exist in "/usr/share/GeoIP/". If they are, you can skip this step. If not, download the GeoIP files and copy the database files to the "/usr/share/GeoIP/" Prepare the IPv4 Database:
  • mkdir /usr/share/GeoIP/
  • wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
  • gunzip GeoLiteCity.dat.gz
  • cd GeoLiteCity/
  • cp GeoLiteCity.dat /usr/share/GeoIP/GeoLiteCity.dat
  • cd ..
Prepare the IPv6 Database:
Now we will setup the IPv6 database to allow reference and support for IPv6 address.
  • wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
  • gunzip GeoLiteCityv6.dat.gz
  • cd GeoLiteCityv6/
  • cp GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat
  • cd ..
Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will get the following type of errors in "/nsm/bro/logs/current/stderr.log"

1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
1392083947.452043 Fell back to GeoIP Country database
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat

Run the following commands to link the downloaded files:
ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Download and Installation...
Create the bro directory and download the latest bro version to your device.
  • mkdir -p /nsm/bro
  • wget https://www.bro.org/downloads/release/bro-2.4.tar.gz
Note: Newer versions of bro will be released regularly. Just head over to their release page and download the most recent version available. It is usually in the format bro-2.*.*.tar.gz


Extract the compressed file you have downloaded.
  • tar -zxvf bro-2.4.tar.gz

Build and install from source is (for more options, run ./configure --help):
  • cd bro-2.4/
  • ./configure --prefix=/nsm/bro
Configure takes about 10min to run the dependency checks in preparation for the install.



Now lets compile the bro binaries.
  • make

The make process takes about 30min to compile, then again it could be because i was running it on my Nexus 5 with tons of apps and some demanding applications running in the background. The duration may vary from device to device.

Now lets take the compiled binaries in the previous step and push them to the respective directories.
  • make install

The make install configuration and setup takes 5min to install and complete on my device.

Configuring Bro...
Now we can setup the final configurations for Bro. First, you may need to adjust your PATH environment variable according to the platform/shell/package you’re using. You can also add the PATH to your ~/.bash_profile file in your home directory to make the change permanent.
  • echo "export PATH=$PATH:/nsm/bro/bin" >> ~/.bash_profile
  • echo "export PATH=$PATH:/opt/nsm/bro/bin" >> ~/.bashrc
  • source ~/.bashrc
From this segment onward, we will follow the documentation on the project page. Using your favorite editor modify the following 3 files:
  • $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
  • $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )
  • $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the ./configure --prefix= to. From the example above replace $PREFIX with /nsm/bro (i.e. nsm/bro/etc/node.cfg)
Now we need to update the node.cfg file to the interface we will be monitoring traffic on. Some of the interfaces you can monitor are are follows depending on your setup and the additional gadgets you may have for monitoring traffic. To check the interfaces available on your device, just ran the "ifconfig -a" command. This is a small outline of the interfaces you will see.
  • lo - Localhost interface
  • sit0 - Point to point tunnel interface (IPv6-in-IPv4)
  • rmnet0 - Mobile data interface (GPRS)
  • p2p0 - Peer to peer communication interface
  • rndis0 - USB tethering interface
  • wlan0 - Internal WiFi interface
  • wlan1 - External WiFi adapter via USB OTG
Editing the config files on android via the terminal is very messy ans annoying. I highly recommend installing Solid Explorer for editing the config files. Solid Explorer comes with its own native root browser and text editor that is very easy to use.

You can edit the node.cfg file accordingly. In my use case, i will use rmnet0 to monitor mobile data and wlan1 for my TP-Link USB WiFi adapter. Assuming your device is configured with the respective network interface as shown above the next step is to edit the "networks.cfg" located in "/nsm/bro/etc/", This file is where you define the local/private networks. For example
  • 10.0.0.0/8 Private IP space
  • 192.168.0.0/16 Private IP space
On a side note, the broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.

Starting Bro... Next, we need to launch the broctl which is bro's control panel If you did not set the path as noted above, you can use the execute the command from the "/nsm/bro/bin/" folder. For the first time you run broctl. Do not be alarmed when you seet the following prompt "warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)"

Since this is a new installation we will have to run a set of commands first before bro starts picking up logs. The first command is install which will ensure all the bro configurations are accurate and prepare bro for traffic monitoring. You should see bro go through a small checklist. We will then run start followed by status verify Bro-IDS is running. You can then type exit to leave the control panel.

To ensure bro always runs on system startup by add the following command
  • echo "/nsm/bro/bin/broctl start" >> /etc/rc.local
Add a cron job which performs maintenance tasks for bro.
  • crontab -e
  • 0-59/5 * * * * /nsm/bro/bin/broctl cron
Finalizing the setup...
If all is well you should now see some logs in the following directory "/nsm/bro/spool/bro". At this stage you can tail the conn.log file and observe Bro logs streaming in real time.


Congratulations, if all went well you now have Bro-IDS running on your phone or tablet :) You can now analyze you device traffic for insight on what data goes through your phone.


If you would like to alter the interface that bro is monitoring, there are a few steps you will have to take. First you stop bro, change the interface and then run broctl deploy for the change to take effect.
  • cd /nsm/bro/bin
  • ./broctl stop
  • sed -i -e 's/$current_interface/$new_interface/g' /nsm/bro/etc/node.cfg
  • ./broctl deploy
My good friend CK was instrumental in the Bro setup and testing on the devices we had our hands on. He also went ahead and did an awesome blog post here and here on network analysis using bro running in Kali Nethunter. Be sure to follow him on twitter for updates on his blog.
On the next blog, i will focus on the various log data that bro produces as well as how to visualize the data you will be collecting.

Update:
After playing around with bro, I decided to script the bro installation process to make it easier to install and update the interfaces you are monitoring. You can download them here. The scripts should run in the the kali nethunter environment. Simply download them to the sdcard, enter into kali terminal, copy the file to the current directory, extract the zip file and run the respective script.

References: