This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
“Bro has originally been developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.” ^1 Liam Randall stated during a Shmoocon 2013 presentation that “Bro-IDS is only the first great application to be written in the Bro network programming language.” In other words, Bro itself is not an IDS; rather, it’s a scripting platform that is designed to work with network traffic.
The Bro framework differs from many traditional IDS as it’s designed to be flexible and efficient while being highly stageful with analyzer for multiple protocols regardless of the port they are running on. Bro-IDS spans the full range from packet capture, traffic inspection, flow recording, data alerting, and scripting. Additionally, the Bro network security monitoring framework provides the professional with comprehensive logs to drive analysis and insight into transactional data on the network. While open source, commercial supported is available by Broalla
Once you login to your VPS, you should ensure your OS is up to date by executing the following command as root:
apt-get update && apt-get upgrade
If the kernel was updated during this process you should reboot your instance prior to proceeding.
Next, we need to install the required dependencies by doing the following command as root. For additional information on Required Dependencies
apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig2.0
Some of these packages may already be installed; however, it does not hurt to list all the requirements. apt-get will grab the missing ones and install them for us.
Bro can leverage the GeoIP library, which we already installed above (libgeoip-dev). To accomplish this we need to install the GeoLite database before starting Bro.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz
Next we need to move the database files to the /usr/share/GeoIP/
directory by executing the following commands:
mv GeoLiteCity.dat /usr/share/GeoIP/GeoLiteCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat
Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will see the following type of errors in /nsm/bro/logs/current/stderr.log
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
1392083947.452043 Fell back to GeoIP Country database
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat
To link the files execute the following commands:
ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Now we will download bro-ids. To accomplish this, we will download and install the application from source. This is done by downloading the source tarball and extracting and performing a make install.
As root we can download and extract the Bro-IDS tarball with the following commands:
wget http://www.bro.org/downloads/release/bro-2.2.tar.gz
tar -xvzf bro-2.2.tar.gz
To build the application, we change directories with the cd bro-2.2
command and set the directory we intend to install the Bro-IDS application by setting --prefix=
option. In the example below, we plan to install Bro-IDS into /nsm/bro with with the following command ./configure --prefix=/nsm/bro
. The following is a complete example of configuring, building, and installing the Bro-IDS application:
cd bro-2.2
./configure --prefix=/nsm/bro
make
make install
No errors? Good. now add bro to your PATH.
export PATH=/nsm/bro/bin:$PATH
You can also add PATH=/opt/bro2/bin:$PATH
to your ~/.profile
file in your home directory to make the change permanent.
Bro is a powerful tool. For the most basic of installation steps, we will follow the documentation on the project page.
Using your favorite editor modify the following 3 files:
$PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
$PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )
$PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the ./configure --prefix=
to. From the example above replace $PREFIX
with /nsm/bro
(i.e. nsm/bro/etc/node.cfg
)
Assuming your system is setup with a single interface, the default node.cfg should be good to go except for possibly changing the sniffing interface. For Example if ifconfig
and you see something like the following:
root@brodemo:/nsm/bro/etc# ifconfig
eth0 Link encap:Ethernet HWaddr 04:01:10:15:fa:01
inet addr:162.243.XXX.XXX Bcast:162.243.XXX.XXX Mask:255.255.255.0
inet6 addr: fe80::601:10ff:fe15:fa01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:998663 errors:0 dropped:0 overruns:0 frame:0
TX packets:27341 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:130635788 (130.6 MB) TX bytes:4043010 (4.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2174 errors:0 dropped:0 overruns:0 frame:0
TX packets:2174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:114442 (114.4 KB) TX bytes:114442 (114.4 KB)
From this example we see that the system has one interface eth0 and the default configuration should be good with only the following lines uncommented:
root@brodemo:~# cat /nsm/bro/etc/node.cfg
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0
## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.
#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0
Assuming your system is configured with one network interface as shown above the networks.cfg should be good, as this file is used to configure the local/private networks.
root@brodemo:~# cat /nsm/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
10.0.0.0/8 Private IP space
192.168.0.0/16 Private IP space
The broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.
Next, we need to launch the broctl shell, from where you can execute bro commands. As root type broctl
, if you did not set the path as noted above, you can use the execute command via its full path /nsm/bro/bin/broctl
# broctl
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)
Welcome to BroControl 1.2
Type "help" for help.
[BroControl] >
The first command to run, since this is a new installation, is to run install. We will then run start followed by status verify Bro-IDS is running
[BroControl] > install
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost running 15837 0 10 Feb 20:57:35
[BroControl] >
You now have Bro-IDS running on your system. Check out the documentation page for further information.
<div class=“author”>Article Submitted by: <a href=“https://twitter.com/schwartz1375”>@schwartz1375</a></div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
“$PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation”
anybody works using this? i have been searching for bro ids to be able to send notification via email, however still unfortunate
Would it be possible to have this article updated to Ubuntu 16.04?
Thank you!
Hi lads, i got an error on make step: [ 75%] Building CXX object src/CMakeFiles/bro.dir/ChunkedIO.cc.o /root/bro-2.4.1/src/ChunkedIO.cc: In member function ‘virtual bool ChunkedIOSSL:
:Init()’: /root/bro-2.4.1/src/ChunkedIO.cc:712:34: error: ‘SSLv3_method’ was not declaredv in this scope ctx = SSL_CTX_new(SSLv3_method()); ^ Any clue?
Thank you. That was helpful. BRO is up and running now.
Thanks for the great guide as it helped me get Bro installed myself. matthew.r.schwartz’s trick regarding the cron job was also a great help. I recently figured out how to install Bro on Ubuntu 14.04. Guide can be found here: http://knowm.org/how-to-install-bro-network-security-monitor-on-ubuntu/ I hope this can help anyone else! Cheers.
Has anyone managed to get this running on Ubuntu 14.10? I tried install the .deb and ran into issues with libgcc1 and libc6 – don’t have the exact errors handy.
I’ve installed bro 2.3 onto Kali Linux. However when I run broctl, bro will not load. I have to type:
python broctl
I’m now trying to run a scan on PCAP files fired from packet replay. Again, bro will not load, even if I enter "#python bro -r filename.pcap I get a “sytanx error on line 1” message.
Please help TL
I have already installed Bro software but I am not able to run bro command. In the exercise uploaded on the link: http://www.bro.org/bro-workshop-2011/exercises/getting-started/index.html I am unable to run eighth step. Following command is not working:
bro -r dns-session.pcap
it shows following error: fatal error: bro: problem with trace file dns-session.pcap - dns-session.pcap: No such file or directory
Also I am not able to see log files mentioned in seventh step by executing the command: gunzip -dc <PREFIX>/logs/2011-11-08/dns.* | less
What path I need to give here is confusing me.
Also the path /nsm/bro/bin you mention works properly. but m not able to put the files inside it which is needed to run other command
Awaiting for your help.
I should have also mentioned that the Bro-IDS installation process doesn’t configure the system to start bro when the system boots. This can be accomplished by adding:
‘$PREFIX/broctl start’ (i.e. /nsm/bro/bin/broctl start) to /etc/rc.local
Additionally Bro recommends to insert the following entry into crontab:
0-59/5 * * * * $PREFIX/bin/broctl cron
“This will perform a number of regular housekeeping tasks, including verifying that the process is still running (and restarting if not in case of any abnormal termination).” - http://www.bro.org/sphinx/quickstart/index.html