g3tsyst3m / briarids Goto Github PK

Work towards a more automated URL retrieval method instead of using hard-coded URLs for source tarballs. That way every resource that is downloaded remains current and the likelihood for broken links is low.

No really an issue, but thought to ask here; Will BriarIDS setup work if I replace a tomato-supported router with an OpenWRT one?

From what I see all you'd need is IPTABLES, and as far as I know OpenWRT supports it as well.

Thanks!

After clicking the "Install Bro-2.5 and Intel Feed Agent" button, it leaves me with a prompt saying

Almost done.  What you will want to do now is to add some feeds.  Since the raspberry pi is limited in its processing power, signing up for too many feeds will overload the unit.
I would suggest signing up for just a few feeds initially, such as 'Phish Tank Intel Feed' and 'Known Tor exit nodes'.
Once you have added your feeds to your sensor, go ahead and pull that info into Bro by issuing the following command:
sudo -u critical-stack critical-stack-intel pull
Now, you will want to perform three final changes.  Go to /opt/nsm/bro/etc
edit Networks.cfg and be sure to add something similar to the following:
10.0.0.0/8          Private IP space
192.168.0.0/16      Private IP space
pubicipgoeshere/32      Public WAN IP space
Now, edit nodes.cfg and add in your interface, either eth0 or eth1, etc
finally, start bro.  go to /nsm/opt/bro/bin/ as ROOT and do: ./broctl
type in 'deploy' which should auto start the application.  Log files will be in /nsm/opt/bro/logs/current for active scans and folder archives for completed scans.
That's it. Congrats!

However, /opt/nsm/bro is empty. There are 3 files in /root/bro-2.5.tar.gz.[123], but I couldn't find hide nor hair of bro elsewhere on the system.

While doing this install I needed to SSH as root and as such the hardcoded path in checkXauth.sh failed

ls /home/pi/.Xauthority > /dev/null

if [ "$?" == "0" ]; then
sudo cp /home/pi/.Xauthority /root/

I'd suggest doing something like

ls $HOME/.Xauthority > /dev/null

if [ "$?" == "0" ]; then
sudo cp $HOME/pi/.Xauthority /root/`

instead so as many users may not do this as the default "pi" account.

Additionally, as I did this as root the "cp" was redundant so you may want to add a check for whether the user is root and if so, skip the "cp".

Trying to understand how to use BriarIDS to inspect 802.11 frames. I have nexmon (https://github.com/seemoo-lab/nexmon) running on my Raspberry Pi 3 Model B and am installing BriarIDS. Will I be able to use the wifi card in monitor mode and pipe 802.11 frames into BriarIDS for easy inspection, or should I be using wireshark instead?

Second, does BriarIDS / Suricata support reading radiotap frames?

Thank you!

Hi there!

First of all, this is awesome. I have been looking for something like this for a long time and working on getting it setup as I type. I do have a question but I just may have missed it and if so my apologies. Is there a way to run this w/o a GUI or is the only way to install everything is with the PyQT app?

menu break when opened directly from desktop (over ssh working fine)
here is the error :
pi@raspberrypi:~/BriarIDS $ sudo python BriarIDS.py loading main menu... X Error: BadAccess (attempt to access private resource denied) 10 Extension: 129 (MIT-SHM) Minor opcode: 1 (X_ShmAttach) Resource id: 0x2c00001 X Error: BadShmSeg (invalid shared segment parameter) 128 Extension: 129 (MIT-SHM) Minor opcode: 5 (X_ShmCreatePixmap) Resource id: 0x2c0000d X Error: BadDrawable (invalid Pixmap or Window parameter) 9 Major opcode: 62 (X_CopyArea) Resource id: 0x2c0000e X Error: BadDrawable (invalid Pixmap or Window parameter) 9 Major opcode: 62 (X_CopyArea) Resource id: 0x2c0000e X Error: BadDrawable (invalid Pixmap or Window parameter) 9 .....

After downloading the code and running the setup.py install command I get the following error:

~/Desktop/BriarIDS $ briar
QXcbConnection: Could not connect to display
Aborted

Any thoughts?

Hi !
I search a simple way to convert a Pi to IDS for home network. Your project seems cool ! But is it still alive/updated ? It's not a reproach, i just want to install a maintained IDS, thanks for your project anyway !

Could this be configured to be running using switch port mirroring on a switch or in-line with multiple interfaces

From https://github.com/musicmancorley/BriarIDS/wiki/Installation

1. Clone the repo! git clone https://github.com/musicmancorley/BriarIDS.git
2. Next, ssh into your PI: ssh -X pi@your_pi_ip
3. Needs to be run using sudo: sudo python BriarIDS.py

Shouldn't you SSH in to the PI first and then clone the repo second? Otherwise you're just cloning it to your local machine and then expecting it to also show up on the PI when you execute step 3.

bro install fails on the latest raspian distribution with all patches.

To get arround the compile problems you have to manually install the libssl1.0-dev package before starting the install process
I will correct this soon. thanks
-Robbie