Security Onion Blog

Thursday, February 21, 2013

Seth Hall's Bro Module for APT1 Detection

Seth Hall wrote a great Bro module based on the recent Mandiant APT1 report.  Here are some quick instructions for loading the module on a Security Onion sensor.

UPDATE 2013/12/11 - These scripts are for Bro 2.1 only.  We've released Bro 2.2 and included an updated version of the APT1 scripts written for Bro 2.2.  Please see:
http://blog.securityonion.net/2013/12/bro-22-and-elsa-15-packages-now.html

sudo apt-get install -y git
cd /opt/bro/share/bro/site/
sudo git clone git://github.com/sethhall/bro-apt1.git apt1
echo "@load apt1" | sudo tee -a local.bro
sudo broctl install && sudo broctl restart

at
Labels: , , ,

1 comment:

DetroitDave said...

While sitting in Doug's Awesome beta SecurityOnion course, I was trying to follow the instructions he posted here. Unfortunately, I have come to the conclusion that the firewall I am behind is blocking my connection...

So, if you get stuck like me:
sudo git https://github.com/sethhall/bro-apt1.git apt1

which uses the HTTPS proto instead of git.

August 1, 2013 at 2:08 PM

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

Did You Know Security Onion Scales to the Enterprise?

Did you know Security Onion scales to the enterprise? Security Onion is designed to scale from simple standalone deployments all the way up ...

Popular Posts

Blog Archive