Thursday, February 21, 2013

Seth Hall's Bro Module for APT1 Detection

Seth Hall wrote a great Bro module based on the recent Mandiant APT1 report.  Here are some quick instructions for loading the module on a Security Onion sensor.

UPDATE 2013/12/11 - These scripts are for Bro 2.1 only.  We've released Bro 2.2 and included an updated version of the APT1 scripts written for Bro 2.2.  Please see:
http://blog.securityonion.net/2013/12/bro-22-and-elsa-15-packages-now.html

sudo apt-get install -y git
cd /opt/bro/share/bro/site/
sudo git clone git://github.com/sethhall/bro-apt1.git apt1
echo "@load apt1" | sudo tee -a local.bro
sudo broctl install && sudo broctl restart

1 comment:

DetroitDave said...

While sitting in Doug's Awesome beta SecurityOnion course, I was trying to follow the instructions he posted here. Unfortunately, I have come to the conclusion that the firewall I am behind is blocking my connection...

So, if you get stuck like me:
sudo git https://github.com/sethhall/bro-apt1.git apt1

which uses the HTTPS proto instead of git.

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.110!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive