Thursday, February 21, 2013

Seth Hall's Bro Module for APT1 Detection

Seth Hall wrote a great Bro module based on the recent Mandiant APT1 report.  Here are some quick instructions for loading the module on a Security Onion sensor.

UPDATE 2013/12/11 - These scripts are for Bro 2.1 only.  We've released Bro 2.2 and included an updated version of the APT1 scripts written for Bro 2.2.  Please see:

sudo apt-get install -y git
cd /opt/bro/share/bro/site/
sudo git clone git:// apt1
echo "@load apt1" | sudo tee -a local.bro
sudo broctl install && sudo broctl restart

1 comment:

DetroitDave said...

While sitting in Doug's Awesome beta SecurityOnion course, I was trying to follow the instructions he posted here. Unfortunately, I have come to the conclusion that the firewall I am behind is blocking my connection...

So, if you get stuck like me:
sudo git apt1

which uses the HTTPS proto instead of git.

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive