Intel Client After Updating Bro on Security Onion

This is a note for those running the Intel client on Security Onion.

Installing the Intel client adds the following to local.bro:

# Critical Stack, Inc - https://intel.criticalstack.com
@load /opt/critical-stack/frameworks/intel

The @load statement tells Bro to activate the Intel feeds.

Yesterday Doug Burks updated the version of Bro in Security Onion to 2.3.2, as noted in his post Bro 2.3.2 now available! 

After running "sudo soup" the update process will replace /opt/bro/share/bro/site/local.bro with a default version. This new version will not have the @load statement added during the Intel client installation process.

To resume using the Intel client following a Bro update on Security Onion, simply add the text back to /opt/bro/share/bro/site/local.bro such that it looks like the following:

# You can load your own intel into:

# /opt/bro/share/bro/intel/
@load intel

# ShellShock - detects successful exploitation of Bash vulnerability CVE-2014-6271
@load shellshock

# Critical Stack, Inc - https://intel.criticalstack.com
@load /opt/critical-stack/frameworks/intel

Restart Bro using the following command.

sudo broctl check
manager scripts are ok.
proxy scripts are ok.
tssub01-eth0-1 scripts are ok.

sudo nsm_sensor_ps-restart --only-bro
Restarting: Bro
tssub01-eth0-1 not running
proxy not running
manager not running
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating cluster-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
starting manager ...
starting proxy ...
starting tssub01-eth0-1 ...
Restarting: tssub01-eth0

Let us know if you have any questions.

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.