Skip to content

Installation

Jump to bottom
Robbie Corley edited this page May 6, 2017 · 35 revisions

The software dependencies will install automatically for you when running the install scripts via the GUI. I'd recommend doing an apt-get update and apt-get upgrade prior to running Briar so apt can grab all the latest packages

The Setup

  1. First, ssh into your PI under your preferred user (ex: 'pi' or 'root'): ssh -X pi@your_pi_ip
    ( the -X means X-forwarding which will forward the GUI to your computer used to access your PI. )
  2. Next, clone the repo! git clone https://github.com/musicmancorley/BriarIDS.git
  3. You should now be able to run the program: sudo python BriarIDS.py or if running as root simply python BriarIDS.py. The main menu should now be visible.

Understanding the Menu

This button will start the installation for Suricata. The installation status can be followed by typing the following in a separate terminal: tail -f /usr/local/src/install_log.log
This button will start the installation for Bro and the Critical-Stack-Intel-Agent. The installation status can be followed by typing the following in a separate terminal: tail -f /usr/local/src/broinstall.log
This installation takes quite some time on the PI unit, but it is well worth the wait! It could take up to an hour or more depending on your PI unit model. It is assumed the user has a reasonable understanding of how Bro functions. If I have time I will add more information on how Bro works. For now, just know that Bro, as it applies to BriarIDS, detects malicious websites (from the intel feed you as the user will configure) using the Critical Stack agent and is simply a nice compliment solution to go alongside Suricata.

More information on how this works more specifically can be found on the HERE

This button will start an instance of Suricata for you, using the monitoring interface you selected in the dropdown menu.
This button will add your public IP to Suricata so that packets captured PRIOR to being Nat'ted will be logged. This is extremely handy for catching reconnaissance scans such as NMAP performed outside of your network.
This button will allow the user to try an experimental feature I am working on which allows virustotal to scan captured packets that contain files and determine whether or not the file(s) is determined to be malicious, according to VirusTotal.

More information about this feature can be found HERE

Setting up your network TAP

This portion of the installation is critical, as you will only capture packets from your raspberry PI if you don't do this. Basically, you need some way of collecting the packets from your network and copying them to your PI's monitoring interface. To do this, I use already available resources here at my house, a linksys router that supports Tomato firmware. Go HERE to search for your specific router model firmware. Once downloaded, go HERE to learn how to install it.

Finally, you need to configure your Tomato router's IPTABLES to copy packets to your PI unit. I've included detailed steps to achieve this HERE.

Clone this wiki locally