Thursday, February 21, 2013

Seth Hall's Bro Module for APT1 Detection

Seth Hall wrote a great Bro module based on the recent Mandiant APT1 report.  Here are some quick instructions for loading the module on a Security Onion sensor.

UPDATE 2013/12/11 - These scripts are for Bro 2.1 only.  We've released Bro 2.2 and included an updated version of the APT1 scripts written for Bro 2.2.  Please see:
http://blog.securityonion.net/2013/12/bro-22-and-elsa-15-packages-now.html

sudo apt-get install -y git
cd /opt/bro/share/bro/site/
sudo git clone git://github.com/sethhall/bro-apt1.git apt1
echo "@load apt1" | sudo tee -a local.bro
sudo broctl install && sudo broctl restart

1 comment:

  1. While sitting in Doug's Awesome beta SecurityOnion course, I was trying to follow the instructions he posted here. Unfortunately, I have come to the conclusion that the firewall I am behind is blocking my connection...

    So, if you get stuck like me:
    sudo git https://github.com/sethhall/bro-apt1.git apt1

    which uses the HTTPS proto instead of git.

    ReplyDelete

Note: Only a member of this blog may post a comment.