This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
“Bro has originally been developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.” ^1 Liam Randall stated during a Shmoocon 2013 presentation that “Bro-IDS is only the first great application to be written in the Bro network programming language.” In other words, Bro itself is not an IDS; rather, it’s a scripting platform that is designed to work with network traffic.
The Bro framework differs from many traditional IDS as it’s designed to be flexible and efficient while being highly stageful with analyzer for multiple protocols regardless of the port they are running on. Bro-IDS spans the full range from packet capture, traffic inspection, flow recording, data alerting, and scripting. Additionally, the Bro network security monitoring framework provides the professional with comprehensive logs to drive analysis and insight into transactional data on the network. While open source, commercial supported is available by Broalla
Once you login to your VPS, you should ensure your OS is up to date by executing the following command as root:
apt-get update && apt-get upgrade
If the kernel was updated during this process you should reboot your instance prior to proceeding.
Next, we need to install the required dependencies by doing the following command as root. For additional information on Required Dependencies
apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig2.0
Some of these packages may already be installed; however, it does not hurt to list all the requirements. apt-get will grab the missing ones and install them for us.
Bro can leverage the GeoIP library, which we already installed above (libgeoip-dev). To accomplish this we need to install the GeoLite database before starting Bro.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz gunzip GeoLiteCity.dat.gz gunzip GeoLiteCityv6.dat.gz
Next we need to move the database files to the
/usr/share/GeoIP/ directory by executing the following commands:
mv GeoLiteCity.dat /usr/share/GeoIP/GeoLiteCity.dat mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat
Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will see the following type of errors in
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat 1392083947.452043 Fell back to GeoIP Country database 1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat
To link the files execute the following commands:
ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Now we will download bro-ids. To accomplish this, we will download and install the application from source. This is done by downloading the source tarball and extracting and performing a make install.
As root we can download and extract the Bro-IDS tarball with the following commands:
wget http://www.bro.org/downloads/release/bro-2.2.tar.gz tar -xvzf bro-2.2.tar.gz
To build the application, we change directories with the
cd bro-2.2 command and set the directory we intend to install the Bro-IDS application by setting
--prefix= option. In the example below, we plan to install Bro-IDS into /nsm/bro with with the following command
./configure --prefix=/nsm/bro. The following is a complete example of configuring, building, and installing the Bro-IDS application:
cd bro-2.2 ./configure --prefix=/nsm/bro make make install
No errors? Good. now add bro to your PATH.
You can also add
PATH=/opt/bro2/bin:$PATH to your
~/.profile file in your home directory to make the change permanent.
Bro is a powerful tool. For the most basic of installation steps, we will follow the documentation on the project page.
Using your favorite editor modify the following 3 files:
$PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
$PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )
$PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the
./configure --prefix= to. From the example above replace
Assuming your system is setup with a single interface, the default node.cfg should be good to go except for possibly changing the sniffing interface. For Example if
ifconfig and you see something like the following:
root@brodemo:/nsm/bro/etc# ifconfig eth0 Link encap:Ethernet HWaddr 04:01:10:15:fa:01 inet addr:162.243.XXX.XXX Bcast:162.243.XXX.XXX Mask:255.255.255.0 inet6 addr: fe80::601:10ff:fe15:fa01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:998663 errors:0 dropped:0 overruns:0 frame:0 TX packets:27341 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:130635788 (130.6 MB) TX bytes:4043010 (4.0 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:2174 errors:0 dropped:0 overruns:0 frame:0 TX packets:2174 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:114442 (114.4 KB) TX bytes:114442 (114.4 KB)
From this example we see that the system has one interface eth0 and the default configuration should be good with only the following lines uncommented:
root@brodemo:~# cat /nsm/bro/etc/node.cfg # Example BroControl node configuration. # # This example has a standalone node ready to go except for possibly changing # the sniffing interface. # This is a complete standalone configuration. Most likely you will # only need to change the interface. [bro] type=standalone host=localhost interface=eth0 ## Below is an example clustered configuration. If you use this, ## remove the [bro] node above. #[manager] #type=manager #host=host1 # #[proxy-1] #type=proxy #host=host1 # #[worker-1] #type=worker #host=host2 #interface=eth0 # #[worker-2] #type=worker #host=host3 #interface=eth0 # #[worker-3] #type=worker #host=host4 #interface=eth0
Assuming your system is configured with one network interface as shown above the networks.cfg should be good, as this file is used to configure the local/private networks.
root@brodemo:~# cat /nsm/bro/etc/networks.cfg # List of local networks in CIDR notation, optionally followed by a # descriptive tag. # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes. 10.0.0.0/8 Private IP space 192.168.0.0/16 Private IP space
The broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.
Next, we need to launch the broctl shell, from where you can execute bro commands. As root type
broctl, if you did not set the path as noted above, you can use the execute command via its full path
# broctl warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run) Welcome to BroControl 1.2 Type "help" for help. [BroControl] >
The first command to run, since this is a new installation, is to run install. We will then run start followed by status verify Bro-IDS is running
[BroControl] > install warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run) creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > start starting bro ... [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 15837 0 10 Feb 20:57:35 [BroControl] >
You now have Bro-IDS running on your system. Check out the documentation page for further information.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.Sign up