bropy
bropy copied to clipboard
hashtagcyber
dependencies
Hi, I am trying bropy on a bare ubuntu 16.04 server. Bro is running and collecting as usual.
To get bropy to run I had to pip install python-dateutil but now I can't run the install.
I must be missing a dependency to parse out the subnets?
Choose one : [1-4]3
What subnets would you like to protect?(Enter comma separated list of subnets w/CIDR) i.e. 192.168.24.0/24,10.10.10.0/24
192.168.0.0/24,10.10.0.0/16,172.16.5.1/24 <-- testing
Sorry, invalid subnet
What subnets would you like to protect?(Enter comma separated list of subnets w/CIDR)
i.e. 192.168.24.0/24,10.10.10.0/24
If i edit the baseline manually and add subnets to the array, it still igrnors them when i run Generate potential rules from conn logs
It generates the rules but shows me all internet servers that were accessed from the network and not just the "protected" servers.
Thanks, Gera
Sorry, I've gotta freak out for a second... This is my first bug request from anyone other than me.... Ok... Freak out done...
I'll push a patch tonight, but basically, I did a bad job at input checking... Bropy3 will work better.... If you already edited the array in baselinereport.bro, you just need to restart bro. "sudo broctl restart" should fix it.
I'll work on a list of dependencies tonight as well :) thanks for checking it out, let me know if that solves your problem.
On Feb 26, 2018 4:51 PM, "lorenzo95" [email protected] wrote:
Hi, I am trying bropy on a bare ubuntu 16.04 server. Bro is running and collecting as usual. To get bropy to run I had to pip install python-dateutil but now I can't run the install.
I must be missing a dependency to parse out the subnets?
Choose one : [1-4]3 What subnets would you like to protect?(Enter comma separated list of subnets w/CIDR) i.e. 192.168.24.0/24,10.10.10.0/24 192.168.0.0/24,10.10.0.0/16,172.16.5.1/24 <-- testing Sorry, invalid subnet What subnets would you like to protect?(Enter comma separated list of subnets w/CIDR) i.e. 192.168.24.0/24,10.10.10.0/24
If i edit the baseline manually and add subnets to the array, it still igrnors them when i run Generate potential rules from conn logs It generates the rules but shows me all internet servers that were accessed from the network and not just the "protected" servers.
Thanks, Gera
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/hashtagcyber/bropy/issues/10, or mute the thread https://github.com/notifications/unsubscribe-auth/AM1EBSbSSzGmPuGByYcDU14JNkWBY_5uks5tY1GKgaJpZM4SULMV .
Haha that's funny. I heard about it on Purple Squad Security. That was a while ago.
I changed the path to baseline.data in baselinereport.bro as well since it appears to be hard coded. I used bro from the repo and it defaults to /opt/bro. It's reading my logs but not populating my baseline.data in "don't do it" mode ;) I'll try it again tomorrow
Yea, path for logs is in etc/bropy.cfg ... You shouldn't have to change much besides that.
On Feb 26, 2018 6:36 PM, "lorenzo95" [email protected] wrote:
Haha that's funny. I heard about it on Purple Squad Security. That was a while ago.
I changed the path to baseline.data in baselinereport.bro as well since it appears to be hard coded. I used bro from the repo and it defaults to /opt/bro. It's reading my logs but not populating my baseline.data in "don't do it" mode ;) I'll try it again tomorrow
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/hashtagcyber/bropy/issues/10#issuecomment-368726562, or mute the thread https://github.com/notifications/unsubscribe-auth/AM1EBYYErpTcJ4Ds4IR8gz7LNTAzUycFks5tY2ozgaJpZM4SULMV .
Fyi, I'm rewriting everything in python3 for Troopers18; in 2 weeks the code is going to look a LOT different, but the rules file will still work.
On Feb 26, 2018 6:54 PM, "Matthew Domko" [email protected] wrote:
Yea, path for logs is in etc/bropy.cfg ... You shouldn't have to change much besides that.
On Feb 26, 2018 6:36 PM, "lorenzo95" [email protected] wrote:
Haha that's funny. I heard about it on Purple Squad Security. That was a while ago.
I changed the path to baseline.data in baselinereport.bro as well since it appears to be hard coded. I used bro from the repo and it defaults to /opt/bro. It's reading my logs but not populating my baseline.data in "don't do it" mode ;) I'll try it again tomorrow
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/hashtagcyber/bropy/issues/10#issuecomment-368726562, or mute the thread https://github.com/notifications/unsubscribe-auth/AM1EBYYErpTcJ4Ds4IR8gz7LNTAzUycFks5tY2ozgaJpZM4SULMV .
https://github.com/hashtagcyber/bropy/tree/fixinputcheck
Try pulling this branch instead. You'll need to update bropy.cfg again.
Ah yes, looping nicely ;) That works.
Choose one : [1-4]3
What subnets would you like to protect?(Enter comma separated list of subnets w/CIDR)
i.e. 192.168.24.0/24,10.10.10.0/24
192.168.24.0/24,10.10.10.0/24
You entered 192.168.24.0/24. If this is incorrect, manually edit the file located at /usr/local/bro/share/bro/policy/misc/baselinereport.bro
You entered 10.10.10.0/24. If this is incorrect, manually edit the file located at /usr/local/bro/share/bro/policy/misc/baselinereport.bro
Script is already mentioned in /usr/local/bro/share/bro/site/local.bro ... Skipping
Copying sample baseline data file to /usr/local/bro/share/bro/policy/misc/baseline.data
Copying Baseline report script to /usr/local/bro/share/bro/policy/misc/baselinereport.bro
Bro must be restarted to complete installation. Restart Bro now? [y/n]
Can't wait for bropy3. Best of luck at Troopers18. Thank you for the help.