Skip to content

Installation

Jump to bottom
Robbie Corley edited this page May 6, 2017 · 35 revisions

The software dependencies will install automatically for you when running the install scripts via the GUI. I'd recommend doing an apt-get update and apt-get upgrade prior to running Briar so apt can grab all the latest packages

The Setup

  1. First, ssh into your PI under your preferred user (ex: 'pi' or 'root'): ssh -X pi@your_pi_ip
    ( the -X means X-forwarding which will forward the GUI to your computer used to access your PI. )
  2. Next, clone the repo! git clone https://github.com/musicmancorley/BriarIDS.git
  3. You should now be able to run the program: sudo python BriarIDS.py or if running as root simply python BriarIDS.py. The main menu should now be visible.

    Understanding the Menu

This button will start the installation for Suricata. The installation status can be followed by typing the following in a separate terminal: tail -f /usr/local/src/install_log.log
This button will start the installation for Bro and the Critical-Stack-Intel-Agent. The installation status can be followed by typing the following in a separate terminal: tail -f /usr/local/src/broinstall.log
This installation takes quite some time on the PI unit, but it is well worth the wait! It could take up to an hour or more depending on your PI unit model. It is assumed the user has a reasonable understanding of how Bro functions. If I have time I will add more information on how Bro works. For now, just know that Bro, as it applies to BriarIDS, detects malicious websites (from the intel feed you as the user will configure) using the Critical Stack agent and is simply a nice compliment solution to go alongside Suricata.

More information on how this works more specifically can be found on the HERE

This button will start an instance of Suricata for you, using the monitoring interface you selected in the dropdown menu.
This button will add your public IP to Suricata so that packets captured PRIOR to being Nat'ted will be logged. This is extremely handy for catching reconnaissance scans such as NMAP performed outside of your network.
This button will allow the user to try an experimental feature I am working on which allows virustotal to scan captured packets that contain files and determine whether or not the file(s) is determined to be malicious, according to VirusTotal.

More information about this feature can be found HERE

Clone this wiki locally