Thursday, February 21, 2013

Seth Hall's Bro Module for APT1 Detection

Seth Hall wrote a great Bro module based on the recent Mandiant APT1 report.  Here are some quick instructions for loading the module on a Security Onion sensor.

UPDATE 2013/12/11 - These scripts are for Bro 2.1 only.  We've released Bro 2.2 and included an updated version of the APT1 scripts written for Bro 2.2.  Please see:
http://blog.securityonion.net/2013/12/bro-22-and-elsa-15-packages-now.html

sudo apt-get install -y git
cd /opt/bro/share/bro/site/
sudo git clone git://github.com/sethhall/bro-apt1.git apt1
echo "@load apt1" | sudo tee -a local.bro
sudo broctl install && sudo broctl restart

1 comment:

DetroitDave said...

While sitting in Doug's Awesome beta SecurityOnion course, I was trying to follow the instructions he posted here. Unfortunately, I have come to the conclusion that the firewall I am behind is blocking my connection...

So, if you get stuck like me:
sudo git https://github.com/sethhall/bro-apt1.git apt1

which uses the HTTPS proto instead of git.

Search This Blog

Featured Post

Security Onion 2.4.50 now available including some new features and lots of bug fixes!

Security Onion 2.4.50 is now available! It includes some new features for our fellow defenders and lots of bug fixes! https://docs.securityo...

Popular Posts

Blog Archive