Tutorial

How To Install Bro-IDS 2.2 on Ubuntu 12.04

Published on February 19, 2014
author

Matthew Schwartz

How To Install Bro-IDS 2.2 on Ubuntu 12.04

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

Introduction


“Bro has originally been developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.” ^1 Liam Randall stated during a Shmoocon 2013 presentation that “Bro-IDS is only the first great application to be written in the Bro network programming language.” In other words, Bro itself is not an IDS; rather, it’s a scripting platform that is designed to work with network traffic.

The Bro framework differs from many traditional IDS as it’s designed to be flexible and efficient while being highly stageful with analyzer for multiple protocols regardless of the port they are running on. Bro-IDS spans the full range from packet capture, traffic inspection, flow recording, data alerting, and scripting. Additionally, the Bro network security monitoring framework provides the professional with comprehensive logs to drive analysis and insight into transactional data on the network. While open source, commercial supported is available by Broalla

Step One - Updating the OS


Once you login to your VPS, you should ensure your OS is up to date by executing the following command as root:

apt-get update && apt-get upgrade

If the kernel was updated during this process you should reboot your instance prior to proceeding.

Step Two - Installing Dependencies


Next, we need to install the required dependencies by doing the following command as root. For additional information on Required Dependencies

apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig2.0

Some of these packages may already be installed; however, it does not hurt to list all the requirements. apt-get will grab the missing ones and install them for us.

Step Three - Installing LibGeoIP


Bro can leverage the GeoIP library, which we already installed above (libgeoip-dev). To accomplish this we need to install the GeoLite database before starting Bro.

Installing the GeoIPLite Database


wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz

Next we need to move the database files to the /usr/share/GeoIP/ directory by executing the following commands:

mv GeoLiteCity.dat  /usr/share/GeoIP/GeoLiteCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat

Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will see the following type of errors in /nsm/bro/logs/current/stderr.log

1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
1392083947.452043 Fell back to GeoIP Country database
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat

To link the files execute the following commands:

ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Step Four - Installing Bro-IDS


Now we will download bro-ids. To accomplish this, we will download and install the application from source. This is done by downloading the source tarball and extracting and performing a make install.

As root we can download and extract the Bro-IDS tarball with the following commands:

wget http://www.bro.org/downloads/release/bro-2.2.tar.gz
tar -xvzf bro-2.2.tar.gz

To build the application, we change directories with the cd bro-2.2 command and set the directory we intend to install the Bro-IDS application by setting --prefix= option. In the example below, we plan to install Bro-IDS into /nsm/bro with with the following command ./configure --prefix=/nsm/bro. The following is a complete example of configuring, building, and installing the Bro-IDS application:

cd bro-2.2
./configure --prefix=/nsm/bro
make
make install

No errors? Good. now add bro to your PATH.

export PATH=/nsm/bro/bin:$PATH

You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.

Configuring Bro-IDS


Bro is a powerful tool. For the most basic of installation steps, we will follow the documentation on the project page.

Using your favorite editor modify the following 3 files:

  • $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)

  • $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )

  • $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation

Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the ./configure --prefix= to. From the example above replace $PREFIX with /nsm/bro (i.e. nsm/bro/etc/node.cfg)

Configuring the node.cfg file


Assuming your system is setup with a single interface, the default node.cfg should be good to go except for possibly changing the sniffing interface. For Example if ifconfig and you see something like the following:

root@brodemo:/nsm/bro/etc# ifconfig
eth0      Link encap:Ethernet  HWaddr 04:01:10:15:fa:01  
          inet addr:162.243.XXX.XXX  Bcast:162.243.XXX.XXX  Mask:255.255.255.0
          inet6 addr: fe80::601:10ff:fe15:fa01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:998663 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:130635788 (130.6 MB)  TX bytes:4043010 (4.0 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:114442 (114.4 KB)  TX bytes:114442 (114.4 KB)


From this example we see that the system has one interface eth0 and the default configuration should be good with only the following lines uncommented:

root@brodemo:~# cat /nsm/bro/etc/node.cfg 
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.

#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0

Configuring the networks.cfg file


Assuming your system is configured with one network interface as shown above the networks.cfg should be good, as this file is used to configure the local/private networks.

root@brodemo:~# cat /nsm/bro/etc/networks.cfg 
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

10.0.0.0/8          Private IP space
192.168.0.0/16      Private IP space

Configuring the broctl.cfg file


The broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.

Step Five - Starting Bro-IDS


Next, we need to launch the broctl shell, from where you can execute bro commands. As root type broctl, if you did not set the path as noted above, you can use the execute command via its full path /nsm/bro/bin/broctl

# broctl 
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)

Welcome to BroControl 1.2

Type "help" for help.

[BroControl] > 

The first command to run, since this is a new installation, is to run install. We will then run start followed by status verify Bro-IDS is running

[BroControl] > install
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started              
bro        standalone localhost  running       15837  0      10 Feb 20:57:35  
[BroControl] > 

You now have Bro-IDS running on your system. Check out the documentation page for further information.

<div class=“author”>Article Submitted by: <a href=“https://twitter.com/schwartz1375”>@schwartz1375</a></div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
Matthew Schwartz

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
9 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

“$PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation”

anybody works using this? i have been searching for bro ids to be able to send notification via email, however still unfortunate

Would it be possible to have this article updated to Ubuntu 16.04?

Thank you!

Hi lads, i got an error on make step: [ 75%] Building CXX object src/CMakeFiles/bro.dir/ChunkedIO.cc.o /root/bro-2.4.1/src/ChunkedIO.cc: In member function ‘virtual bool ChunkedIOSSL:
:Init()’: /root/bro-2.4.1/src/ChunkedIO.cc:712:34: error: ‘SSLv3_method’ was not declaredv in this scope ctx = SSL_CTX_new(SSLv3_method()); ^ Any clue?

Thank you. That was helpful. BRO is up and running now.

Thanks for the great guide as it helped me get Bro installed myself. matthew.r.schwartz’s trick regarding the cron job was also a great help. I recently figured out how to install Bro on Ubuntu 14.04. Guide can be found here: http://knowm.org/how-to-install-bro-network-security-monitor-on-ubuntu/ I hope this can help anyone else! Cheers.

Has anyone managed to get this running on Ubuntu 14.10? I tried install the .deb and ran into issues with libgcc1 and libc6 – don’t have the exact errors handy.

I’ve installed bro 2.3 onto Kali Linux. However when I run broctl, bro will not load. I have to type:

python broctl

I’m now trying to run a scan on PCAP files fired from packet replay. Again, bro will not load, even if I enter "#python bro -r filename.pcap I get a “sytanx error on line 1” message.

Please help TL

I have already installed Bro software but I am not able to run bro command. In the exercise uploaded on the link: http://www.bro.org/bro-workshop-2011/exercises/getting-started/index.html I am unable to run eighth step. Following command is not working:

bro -r dns-session.pcap

it shows following error: fatal error: bro: problem with trace file dns-session.pcap - dns-session.pcap: No such file or directory

Also I am not able to see log files mentioned in seventh step by executing the command: gunzip -dc <PREFIX>/logs/2011-11-08/dns.* | less

What path I need to give here is confusing me.

Also the path /nsm/bro/bin you mention works properly. but m not able to put the files inside it which is needed to run other command

Awaiting for your help.

I should have also mentioned that the Bro-IDS installation process doesn’t configure the system to start bro when the system boots. This can be accomplished by adding:

‘$PREFIX/broctl start’ (i.e. /nsm/bro/bin/broctl start) to /etc/rc.local

Additionally Bro recommends to insert the following entry into crontab:

0-59/5 * * * * $PREFIX/bin/broctl cron

“This will perform a number of regular housekeeping tasks, including verifying that the process is still running (and restarting if not in case of any abnormal termination).” - http://www.bro.org/sphinx/quickstart/index.html

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more