导读 Bro 是一个开源的网络分析框架,侧重于网络安全监控。这是一项长达 15 年的研究成果,被各大学、研究实验室、超级计算机中心和许多开放科学界广泛使用。它主要由伯克利国际计算机科学研究所和伊利诺伊大学厄巴纳-香槟分校的国家超级计算机应用中心开发。

网络分析利器:在 Ubuntu 16.04 上安装 Bro
Bro 的功能包括:

  • Bro 的脚本语言支持针对站点定制监控策略
  • 针对高性能网络
  • 分析器支持许多协议,可以在应用层面实现高级语义分析
  • 它保留了其所监控的网络的丰富的应用层统计信息
  • Bro 能够与其他应用程序接口实时地交换信息
  • 它的日志全面地记录了一切信息,并提供网络活动的高级存档

教程将介绍如何从源代码构建,并在 ubuntu 16.04 服务器上安装 bro。

准备工作

Bro 有许多依赖文件:

  • Libpcap (http://www.tcpdump.org)
  • OpenSSL 库 (http://www.openssl.org)
  • BIND8 库
  • Libz
  • Bash (BroControl 所需要)
  • Python 2.6+ (BroControl 所需要)

从源代码构建还需要:

  • CMake 2.8+
  • Make
  • GCC 4.8+ or Clang 3.3+
  • SWIG
  • GNU Bison
  • Flex
  • Libpcap headers
  • OpenSSL headers
  • zlib headers

起步

首先,通过执行以下命令来安装所有必需的依赖项:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">apt-get</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> install cmake </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">make</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">gcc</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> g</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">++</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> flex bison libpcap</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev libssl</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev python</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev swig zlib1g</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dev</span>

登录后复制
安装定位 IP 地理位置的 GeoIP 数据库

Bro 使用 GeoIP 的定位地理位置。安装 IPv4 和 IPv6 版本:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">wget</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> http</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="com" style="font-family: Consolas, Monaco, monospace;">//geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$wget http</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="com" style="font-family: Consolas, Monaco, monospace;">//geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz</span>

登录后复制

解压这两个压缩包:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ gzip </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">d </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoLiteCity</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">gz</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ gzip </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">-</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">d </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoLiteCityv6</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">gz</span>

登录后复制

将解压后的文件移动到

/usr/share/GeoIP

登录后复制

目录下:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> mvGeoLiteCity</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">share</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIP</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIPCity</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span>
<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">mv</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoLiteCityv6</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">share</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIP</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="typ" style="font-family: Consolas, Monaco, monospace;">GeoIPCityv6</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">dat</span>

登录后复制

现在,可以从源代码构建 Bro 了。

构建 Bro

最新的 Bro 开发版本可以通过 “git”仓库获得。执行以下命令:

$ git clone --recursive git://git.bro.org/bro

登录后复制

转到克隆下来的目录,然后使用以下命令就可以简单地构建 Bro:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">cd</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> bro</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">./</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">configure</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">$ </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">make</span>
make

登录后复制

命令需要一些时间来构建一切。确切的时间取决于服务器的性能。
可以使用一些参数来执行”configure” 脚本,以指定要构建的依赖关系,特别是”–with-*”选项。

安装 Bro

在克隆的 “bro” 目录中执行:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">make</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> install</span>

登录后复制

默认安装路径为”/usr/local/bro”。

配置 Bro

Bro 的配置文件位于 “/usr/local/bro/etcV 目录下。 这里有三个文件:

  • node.cfg,用于配置要监视的单个节点(或多个节点)。
  • broctl.cfg,BroControl 的配置文件。
  • networks.cgf,包含一个使用 CIDR 标记法表示的网络列表。

配置邮件设置

打开 “broctl.cfg”配置文件:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> $EDITOR </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">etc</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">broctl</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">cfg</span>

登录后复制

查看 “Mail Options”选项,并编辑 “MailTo” 行如下:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Recipient</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> address </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">for</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> emails sent out by </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">Bro</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">and</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">BroControl</span>
<span class="typ" style="font-family: Consolas, Monaco, monospace;">MailTo</span> <span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> admin@example</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">com</span>

登录后复制

保存并关闭。还有许多其他选项,但在大多数情况下,默认值就足够好了。

选择要监视的节点

开箱即用,Bro 被配置为以独立模式运行。在本教程中,我们就是做一个独立的安装,所以没有必要改变。但是,也请查看 “node.cfg”配置文件:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> $EDITOR </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">etc</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">node</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">cfg</span>

登录后复制

在 “[bro]” 部分,你应该看到这样的东西:

<span class="pun" style="font-family: Consolas, Monaco, monospace;">[</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">]</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">type</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">standalone</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">host</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">localhost</span>
<span class="kwd" style="font-family: Consolas, Monaco, monospace;">interface</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">=</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">eth0</span>

登录后复制

请确保”inferface” 与 Ubuntu 16.04 服务器的公网接口相匹配。
保存并退出。

配置监视节点的网络

最后一个要编辑的文件是 “network.cfg”。使用文本编辑器打开它:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> $EDITOR </span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">usr</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">etc</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">networks</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">cfg</span>

登录后复制

默认情况下,你应该看到以下内容:

<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">List</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> of </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> networks </span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">in</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> CIDR notation</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">,</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> optionally followed by a</span>
<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> descriptive tag</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span>
<span class="com" style="font-family: Consolas, Monaco, monospace;">#</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">For</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> example</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">,</span> <span class="str" style="font-family: Consolas, Monaco, monospace;">"10.0.0.0/8"</span> <span class="kwd" style="font-family: Consolas, Monaco, monospace;">or</span> <span class="str" style="font-family: Consolas, Monaco, monospace;">"fe80::/64"</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> are valid prefixes</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span>
<span style="font-family: Consolas, Monaco, monospace;"> </span>
<span class="lit" style="font-family: Consolas, Monaco, monospace;">10.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">0.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">8</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>
<span class="lit" style="font-family: Consolas, Monaco, monospace;">172.16</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">0.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">12</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>
<span class="lit" style="font-family: Consolas, Monaco, monospace;">192.168</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">0.0</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">16</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>

登录后复制

删除这三个条目(这只是如何使用此文件的示例),并输入服务器的公用和专用 IP 空间,格式如下:

<span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">Public</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">.</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">X </span><span class="typ" style="font-family: Consolas, Monaco, monospace;">Private</span><span class="pln" style="font-family: Consolas, Monaco, monospace;"> IP space</span>

登录后复制

保存并退出。

使用 BroControl 管理 Bro 的安装

管理 Bro 需要使用 BroControl,它支持交互式 shell 和命令行工具两种形式。启动该 shell:

<span class="com" style="font-family: Consolas, Monaco, monospace;"># /usr/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bin</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">broctl</span>

登录后复制

要想使用命令行工具,只需将参数传递给上一个命令,例如:

<span class="com" style="font-family: Consolas, Monaco, monospace;"># /usr/</span><span class="kwd" style="font-family: Consolas, Monaco, monospace;">local</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bro</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">bin</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">/</span><span class="pln" style="font-family: Consolas, Monaco, monospace;">broctl status</span>

登录后复制

这将通过显示以下的输出来检查 Bro 的状态:

<span class="typ" style="font-family: Consolas, Monaco, monospace;">Name</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Type</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Host</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Status</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Pid</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Started</span>
<span class="pln" style="font-family: Consolas, Monaco, monospace;">bro standalone localhost running </span><span class="lit" style="font-family: Consolas, Monaco, monospace;">6807</span> <span class="lit" style="font-family: Consolas, Monaco, monospace;">20</span> <span class="typ" style="font-family: Consolas, Monaco, monospace;">Jul</span> <span class="lit" style="font-family: Consolas, Monaco, monospace;">12</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">30</span><span class="pun" style="font-family: Consolas, Monaco, monospace;">:</span><span class="lit" style="font-family: Consolas, Monaco, monospace;">50</span>

登录后复制
结论

这是一篇 Bro 的安装教程。我们使用基于源代码的安装,因为它是获得可用的最新版本的最有效的方法,但是该网络分析框架也可以下载预构建的二进制格式文件。
下次见!


以上就是在 Ubuntu 16.04 上配置 Bro:网络分析的有力工具的详细内容,更多请关注小闻网其它相关文章!

声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。