Inspirated

 
 

December 10, 2012

Bro IDS on OpenWRT

Filed under: Blog — krkhan @ 12:59 pm

While I was at SysNet, we had been working on a project we called “Shrimp” — Software-defined Home Router Intelligent Monitoring Point. The goal of the project was to provide a framework for easy programmatic access to network monitoring on low-cost, commodity, home router devices. One of the requirements was to have an IDS on the home routers for which we chose Bro — the leading framework for semantic analysis of network traffic.

The OpenWRT OS was chosen as the target platform. Its SDK contained a cross-compile toolchain for CMake projects. However, during the compilation Bro tried to run the binpac and bifcl executables for processing intermediate files. The executables refused to run on the build platform if the target platform architecture was different (mostly the case, e.g., we were building on x86-64 and target was arm).

The (not-so-pretty ™) workaround we used was to build Bro twice. Once for the host, and once for the target. The CMake files were then patched to first generate binpac and bifcl binaries if they weren’t provided and then use the provided binaries if they were defined at make time. The first compile generated the binaries on x86-64 and the second compile (for arm) used the earlier binaries to process the bif files.

The Makefile and patches are available in this tarball: openwrt-bro.tar.gz, while the compiled ipk package is also available for installation. Here is a test execution of Bro on OpenWRT:

# bro –v
bro version 2.0
# cat test.bro
event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}
# bro test.bro
Hello World!
# bro -i br-lan test.bro
Hello World!
New connection created
New connection created
# ls
conn.log           notice_policy.log  reporter.log       weird.log
dns.log            packet_filter.log  test.bro

A heap of thanks to Zaafar for dealing with my messy code and providing the links to hosted files :) !

Tags: , , , , , , , , ,

8 Comments

  1. Hello there,

    I have flashed OpenWrt to my router, and i would really love to use Bro on there too.
    Could you possibly make another ipk thats suitable for MIPS and libpcap 1.5 or 1.6.2?

    Because Bro 2.3 would be newer than Version 2.0 you have compiled two years ago.

    Thanks a lot Mate ;)

    Comment by Steffen — November 14, 2014 @ 1:29 am

  2. I’m also interested on Bro 2.3 under a MIPs openwrt router. BT HomeHub 2.0B

    Thanks

    Comment by Fernando — December 28, 2014 @ 7:21 pm

  3. Same here, trying get an IDS on my MIPS router.
    IMO bro is versatile enough for an official port to be worth while, not sure about the resources requirements tho.
    Would you consider maintaining a port on openwrt?

    Comment by utbabya — April 27, 2015 @ 7:20 pm

  4. Hi folks,

    I didn’t realize that there was interest in this Bro port :) .

    I ported Bro 2.3 to OpenWRT a few months ago but never got around to posting it on the blog.

    It might be a little flaky, but I’ll post the sources and the pre-built ipk here so that you guys can test it out.

    Thanks,
    Kamran.

    Comment by krkhan — April 28, 2015 @ 1:51 am

  5. Thanks a lot, waiting for the ipk

    Comment by Fernando — April 28, 2015 @ 1:52 am

  6. Thanks Kamran.

    After digging a little, the bifcl is compiling .bif into C++ and Bro, so that means it’s a cross compile only issue.

    If I fire up a MIPS linux in qemu with all the dependencies it would just compile right?

    Comment by utbabya — April 29, 2015 @ 4:22 am

  7. […] posting the Bro port for OpenWRT on my blog roughly two years ago, I didn’t realize some people were already actually using it […]

    Pingback by Bro 2.3 on OpenWRT | Inspirated — April 29, 2015 @ 11:32 pm

  8. Here you go guys, sorry for the delay:

    https://inspirated.com/2015/04/29/bro-2-3-on-openwrt

    Comment by krkhan — April 29, 2015 @ 11:33 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.