We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Install Bro-IDS 2.2 on Ubuntu 12.04

PostedFebruary 19, 2014 41k views Security Ubuntu

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

Introduction


"Bro has originally been developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL." ^1 Liam Randall stated during a Shmoocon 2013 presentation that “Bro-IDS is only the first great application to be written in the Bro network programming language.” In other words, Bro itself is not an IDS; rather, it’s a scripting platform that is designed to work with network traffic.

The Bro framework differs from many traditional IDS as it’s designed to be flexible and efficient while being highly stageful with analyzer for multiple protocols regardless of the port they are running on. Bro-IDS spans the full range from packet capture, traffic inspection, flow recording, data alerting, and scripting. Additionally, the Bro network security monitoring framework provides the professional with comprehensive logs to drive analysis and insight into transactional data on the network. While open source, commercial supported is available by Broalla

Step One - Updating the OS


Once you login to your VPS, you should ensure your OS is up to date by executing the following command as root:

apt-get update && apt-get upgrade

If the kernel was updated during this process you should reboot your instance prior to proceeding.

Step Two - Installing Dependencies


Next, we need to install the required dependencies by doing the following command as root. For additional information on Required Dependencies

apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig2.0

Some of these packages may already be installed; however, it does not hurt to list all the requirements. apt-get will grab the missing ones and install them for us.

Step Three - Installing LibGeoIP


Bro can leverage the GeoIP library, which we already installed above (libgeoip-dev). To accomplish this we need to install the GeoLite database before starting Bro.

Installing the GeoIPLite Database


wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz

Next we need to move the database files to the /usr/share/GeoIP/ directory by executing the following commands:

mv GeoLiteCity.dat  /usr/share/GeoIP/GeoLiteCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat

Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will see the following type of errors in /nsm/bro/logs/current/stderr.log

1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
1392083947.452043 Fell back to GeoIP Country database
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat

To link the files execute the following commands:

ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Step Four - Installing Bro-IDS


Now we will download bro-ids. To accomplish this, we will download and install the application from source. This is done by downloading the source tarball and extracting and performing a make install.

As root we can download and extract the Bro-IDS tarball with the following commands:

wget http://www.bro.org/downloads/release/bro-2.2.tar.gz
tar -xvzf bro-2.2.tar.gz

To build the application, we change directories with the cd bro-2.2 command and set the directory we intend to install the Bro-IDS application by setting --prefix= option. In the example below, we plan to install Bro-IDS into /nsm/bro with with the following command ./configure --prefix=/nsm/bro. The following is a complete example of configuring, building, and installing the Bro-IDS application:

cd bro-2.2
./configure --prefix=/nsm/bro
make
make install

No errors? Good. now add bro to your PATH.

export PATH=/nsm/bro/bin:$PATH

You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.

Configuring Bro-IDS


Bro is a powerful tool. For the most basic of installation steps, we will follow the documentation on the project page.

Using your favorite editor modify the following 3 files:

  • $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)

  • $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )

  • $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation

Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the ./configure --prefix= to. From the example above replace $PREFIX with /nsm/bro (i.e. nsm/bro/etc/node.cfg)

Configuring the node.cfg file


Assuming your system is setup with a single interface, the default node.cfg should be good to go except for possibly changing the sniffing interface. For Example if ifconfig and you see something like the following:

root@brodemo:/nsm/bro/etc# ifconfig
eth0      Link encap:Ethernet  HWaddr 04:01:10:15:fa:01  
          inet addr:162.243.XXX.XXX  Bcast:162.243.XXX.XXX  Mask:255.255.255.0
          inet6 addr: fe80::601:10ff:fe15:fa01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:998663 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:130635788 (130.6 MB)  TX bytes:4043010 (4.0 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:114442 (114.4 KB)  TX bytes:114442 (114.4 KB)


From this example we see that the system has one interface eth0 and the default configuration should be good with only the following lines uncommented:

root@brodemo:~# cat /nsm/bro/etc/node.cfg 
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.

#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0

Configuring the networks.cfg file


Assuming your system is configured with one network interface as shown above the networks.cfg should be good, as this file is used to configure the local/private networks.

root@brodemo:~# cat /nsm/bro/etc/networks.cfg 
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

10.0.0.0/8          Private IP space
192.168.0.0/16      Private IP space

Configuring the broctl.cfg file


The broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.

Step Five - Starting Bro-IDS


Next, we need to launch the broctl shell, from where you can execute bro commands. As root type broctl, if you did not set the path as noted above, you can use the execute command via its full path /nsm/bro/bin/broctl

# broctl 
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)

Welcome to BroControl 1.2

Type "help" for help.

[BroControl] > 

The first command to run, since this is a new installation, is to run install. We will then run start followed by status verify Bro-IDS is running

[BroControl] > install
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started              
bro        standalone localhost  running       15837  0      10 Feb 20:57:35  
[BroControl] > 

You now have Bro-IDS running on your system. Check out the documentation page for further information.

Article Submitted by: @schwartz1375

10 Comments

Creative Commons License