How to Install and Configure Bro on Ubuntu Linux

Last updated at Fri, 08 Dec 2017 21:09:14 GMT

Synopsis

Bro is a free open source Unix based network analysis framework started by Vern Paxson.
Bro provides a comprehensive platform for collecting network measurements, conducting forensic investigations and traffic baselining. Bro comes with powerful analysis engine which makes it powerful intrusion detection system and network analysis framework.

Bro comes with a powerful set of features, some of them are listed below:

• Runs on commodity hardware and supports Linux, FreeBSD and MacOS.
• Real-time and offline analysis.
• Support clustering for large-scale deployments.
• Ability to monitor traffic in a very high performance environment.
• Comprehensive logging of activity for offline analysis and forensics.
• Supports many protocols such as, DNS, FTP, HTTP, IRC, SMTP, SSH, SSL.

In this tutorial, we will explain how to install and configure BRO IDS on Ubuntu Linux.

System Requirements

• Ubuntu 16.04 server installed to your server.
• Static IP address 192.168.15.189 setup on your server.

Update the System

Before starting, it is recommended to update your system with the latest version.

First, log in to root user and update your system with the following command:

apt-get update -y

apt-get upgrade -y

After updating your system, restart your system.

Install Required Dependencies

Before starting, Bro requires some dependencies install to your system. You can install all of them with the following command:

sudo apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev -y

You will also need to install GeoIP to your system. You can install it with the following command:

apt-get install libgeoip-dev -y

Next, download the GeoIP database with the following command:

cd /user/share/GeoIP/

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Next, extract the downloaded database with the following command:

gunzip GeoLiteCity*

Next, rename the both files to GeoIPCity.dat and GeoIPCityv6.dat respectively:

mv GeoLiteCity.dat GeoIPCity.dat

mv GeoLiteCityv6.dat GeoIPCity.dat

Install Bro-IDS

First, download the latest version of the Bro-IDS source from their website. You can do this with the following command:

wget http://www.bro.org/downloads/release/bro-2.4.1.tar.gz

Next, change the directory to bro-2.4.1 and compile it with the following command:

cd bro-2.4.1

mkdir /opt/bro

./configure --prefix=/opt/bro

make

make install

Once the Bro-IDS is installed, adjust your PATH environment with the following command:

export PATH=/opt/bro/bin:$PATH

You will also need to add path to your ~/.profile file in your home directory to make the change permanent.

nano ~/.profile

Add the following line:

 PATH=/opt/bro/bin:$PATH

Configure Bro-IDS

By default, bro configurations files are located at /opt/bro/etc/ directory. First, you will need to specify the network interface which you want to monitor.

You can do this by editing /opt/bro/etc/node.cfg file:

nano /opt/bro/etc/node.cfg

Specify network interface as per your need as shown below:

 [bro] 
 type=standalone 
 host=localhost 
 interface=eth0

Save and close the file.

Next, you will need to specify the private IP range which you want to monitor. You can do this by editing /opt/bro/etc/networks.cfg file:

nano /opt/bro/etc/networks.cfg

Specify the IP address range as per your need as shown below:

 192.168.15.0/24 Private IP space 
 192.168.0.0/16 Private IP space

Save and close the file when you are finished.

Next, you will need to start Bro service.

Bro service is managed by BroControl, so you will need to install it first. You can install it with the following command:

broctl install

You should see the following output:

 creating policy directories ... 
 installing site policies ... 
 generating standalone-layout.bro ... 
 generating local-networks.bro ... 
 generating broctl-config.bro ... 
 generating broctl-config.sh ... 
 updating nodes ...

Finally, start Bro service with the following command:

broctl start

Next, you will need to add Bro service at system startup. You can do this by editing /etc/rc.local file:

nano /etc/rc.local

Add the following line:

 /opt/bro/bin/broctl start

Save the file when you are finished.

You can check the status of Bro service with the following command:

broctl status

When all is well, you can check the Bro log file and observe Bro logs streaming in real time.

First, on the remote machine, run the Nmap port scan against your server with the following command:

nmap -PN -sS 192.168.15.189

Next, on the server machine, check the log file with the following command:

tail -f /opt/bro/logs/current/notice.log

You should see the following output:

 #path notice 
 #open 2017-06-11-08-38-44 
 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude 
 #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double 
 1497150524.430742 - - - - - - - - - Scan::Port_Scan 192.168.15.196 scanned at least 15 unique ports of host 192.168.15.189 in 0m0s local 192.168.15.196 192.168.15.189 - - bro Notice::ACTION_LOG 3600.000000 F- - - - -

tail -f /opt/bro/logs/current/conn.log

You should see the following output:

 1497150746.206183 CBjGd54nEnYOYOYGV8 192.168.15.196 52232 192.168.15.189 1026 tcp - 0.000015 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206241 CPXg8OhTmd6FLIqe4 192.168.15.196 52232 192.168.15.189 3914 tcp - 0.000015 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206299 Cu0Bk92eLHWLOEGJQ1 192.168.15.196 52232 192.168.15.189 1069 tcp - 0.000007 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206386 CGdIJu1yRfjtHXuHA6 192.168.15.196 52232 192.168.15.189 9900 tcp - 0.000016 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206445 CrS26a1maFEZPcxL9 192.168.15.196 52232 192.168.15.189 5988 tcp - 0.000016 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206531 CciTaZF47VJzASOt3 192.168.15.196 52232 192.168.15.189 1187 tcp - 0.000017 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206585 Cn0bnZ1icKr99yXn31 192.168.15.196 52232 192.168.15.189 4998 tcp - 0.000064 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206700 Czp8ek1iUu0eapTti7 192.168.15.196 52232 192.168.15.189 9535 tcp - 0.000017 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150746.206762 C2Q5sjkJIHCJdApod 192.168.15.196 52232 192.168.15.189 8085 tcp - 0.000017 0 0 REJ TT 0 Sr 1 44 1 40 (empty) 
 1497150692.364924 C4oQWQ2mWrrblFrfzl fe80::5cd9:ddff:fef4:fc77 135 fe80::a00:27ff:fe7c:5b40 136 icmp - 0.000044 24 16 OTH F F 0 - 1 72 1 64 (empty) 
 ^C

Conclusion

Congratulations! you have successfully installed Bro-IDS to your server. You can now easily capture packet and inspect traffic of your network.

References

• Bro-IDS Documentation