For the past few weeks, I’ve been working at installing Bro IDS onto a Raspberry Pi 3. This is for a project I’ve been thinking about for a while and if successful, I will submit to several cons. But in the meantime, I want to document what I’ve done both for myself and anyone who may be interested.
I’m not going to repeat things where someone else has done a great job of writing them up. I will merely put a link to the web page where you can go read.
To start with I have a Raspberry Pi 3 (https://www.raspberrypi.org/products/raspberry-pi-3-model-b/) on which I installed Rasbian Lite (https://www.raspberrypi.org/downloads/raspbian/). I used Etcher (https://etcher.io/) to burn the image to a 32GB microSD card. I also bought a power supply for the Pi3 after trying unsuccessfully to use one of the MicroUSB cables/plugs I had lying around the house. Turns out most of the ones used to recharge phones are at most 2.1 A (and some not even that) and the Pi3 needs 2.5. So my Pi3 kept rebooting over and over until I got the new power supply. (BTW, this is when I REALLY miss Radio Shack. This delayed me two days waiting for Amazon to deliver). So my advice is buy the power supply when you buy the Pi3.
I don’t have a HDMI monitor, but I have plenty of VGA connected monitors. A simple HDMI=>VGA converter works no problem. I’m using the Inland brand from MicroCenter (yes, I know, why didn’t I buy the power supply while I was there… IDK..anyway). Anyway:
Once I burned the image, had the right power supply and booted up and voila! I was in.
I shouldn’t have to tell you, change these as soon as possible.
Now, I had a working Pi3, on a monitor with a keyboard. I connected it to my network and proceeded to update and patch: sudo apt-get update && apt-get upgrade.
The raspberry foundation has a nice list of configuration steps here: https://www.raspberrypi.org/documentation/configuration/ and I worked thru them as I thought they applied to my environment.
Run the raspi-config configuration tool and set up your environment. This is where you turn on the ssh server.
I set about securing the Pi3 by doing things like turning off the bluetooth, disabling telnet, locking down ssh, etc. (https://www.raspberrypi.org/documentation/configuration/security.md)
I worked on setting up the wireless card, since I wanted the wired port to be the listening port. That turned out to be a little bit tricky. The instructions given on the Pi3 page didn’t work for me:
but these did:
Except if I reboot, I have to turn the wifi back on. Argh. Still working that out.
After I got the wifi to work, I ssh’d to the wlan port so I could leave the wired port for bro to use exclusively.
Once I got Raspian configured to where I liked, I started looking at how to install Bro on the Pi3. There are a bunch of folks on the web who’ve done this before:
As well as lots of instructions for installing Bro in general:
I just chose to follow the instructions here:
Since all of these instructions are pretty much the same, I’ll just note some of the challenges I had with my install and how I got through them. Obviously, YMMV.
First, regarding the pre-requisites, I had to make sure ‘git’ actually installed correctly. It’s much easier to pull and install Bro using git. Also, a lot of custom bro scripts are kept on github, so having git installed makes it easy to deploy those.
Make sure you install GeoIPv6 as well as GeoIPv4. Raspian and the Pi3 understand IPv6 so you don’t want to miss out on that data.
Getting sendmail configured so that it could send me mail to my gmail account took a little bit of trial and error. Fortunately, I found this page:
For those that need to connect to a different port than 25, I found this:
I ran into an error when I was testing and I got :
535 Incorrect authentication data. >>> MAIL From: SIZE=18 AUTHfirstname.lastname@example.org”
But I must to confess…. I don’t remember what I did to fix it. If I remember, I’ll update. (second time I ran through these steps, I did NOT get this error… argh)
All of the other prerequisites installed fine. I did not install pf-ring as I did not think my environment needed that.
Finally, I was ready to install Bro. As I said, I followed the instructions at
Bro installed very nicely. I’m running as root, so I didn’t have to do any of the permission changes.
I then started bro and voila! Analysis of my network started to happen.
To monitor my network, I put in a bought a SharkTap Network Sniffer for about $70. If I had to do it again, I would buy the GS105Ev2 – ProSAFE Plus 5-port Switch for about $40. It does port mirroring and is not a single point of failure (wife and kids losing streaming because of overloaded tap: not fun to fix while at work). Both are on Amazon.
So that’s it for now. My next post on bro will talk about my adventures learning to write scripts that alert and having those alerts send me email notices.