Table of Contents
[warning]
Status: Deprecated
This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
Reason:
Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead:
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
Introduction
"Bro has originally been developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL." ^1 Liam Randall stated during a Shmoocon 2013 presentation that “Bro-IDS is only the first great application to be written in the Bro network programming language.” In other words, Bro itself is not an IDS; rather, it’s a scripting platform that is designed to work with network traffic.
The Bro framework differs from many traditional IDS as it’s designed to be flexible and efficient while being highly stageful with analyzer for multiple protocols regardless of the port they are running on. Bro-IDS spans the full range from packet capture, traffic inspection, flow recording, data alerting, and scripting. Additionally, the Bro network security monitoring framework provides the professional with comprehensive logs to drive analysis and insight into transactional data on the network. While open source, commercial supported is available by Broalla
Step One - Updating the OS
Once you login to your VPS, you should ensure your OS is up to date by executing the following command as root:
~~~
apt-get update && apt-get upgrade
~~~
If the kernel was updated during this process you should reboot your instance prior to proceeding.
Step Two - Installing Dependencies
Next, we need to install the required dependencies by doing the following command as root. For additional information on Required Dependencies
~~~
apt-get install cmake make gcc g++ flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig2.0
~~~
Some of these packages may already be installed; however, it does not hurt to list all the requirements. apt-get will grab the missing ones and install them for us.
Step Three - Installing LibGeoIP
—
Bro can leverage the GeoIP library, which we already installed above (libgeoip-dev). To accomplish this we need to install the GeoLite database before starting Bro.
Installing the GeoIPLite Database
—
~~~
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz
~~~
Next we need to move the database files to the /usr/share/GeoIP/ directory by executing the following commands:
~~~
mv GeoLiteCity.dat /usr/share/GeoIP/GeoLiteCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoLiteCityv6.dat
~~~
Now we need to create a link for the GeoLiteCit.dat and GeorLiteCityv6.data files to GeoIPCity.dat and GeoIPCityv6.dat respectively. If we build Bro with LibGeoIP installed, but fail to link the files, we will see the following type of errors in /nsm/bro/logs/current/stderr.log
~~~
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCity.dat
1392083947.452043 Fell back to GeoIP Country database
1392083947.452043 Failed to open GeoIP database: /usr/share/GeoIP/GeoIPCityv6.dat
~~~
To link the files execute the following commands:
~~~
ln -s /usr/share/GeoIP/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
ln -s /usr/share/GeoIP/GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
~~~
Step Four - Installing Bro-IDS
—
Now we will download bro-ids. To accomplish this, we will download and install the application from source. This is done by downloading the source tarball and extracting and performing a make install.
As root we can download and extract the Bro-IDS tarball with the following commands:
~~~
wget http://www.bro.org/downloads/release/bro-2.2.tar.gz
tar -xvzf bro-2.2.tar.gz
~~~
To build the application, we change directories with the cd bro-2.2 command and set the directory we intend to install the Bro-IDS application by setting --prefix= option. In the example below, we plan to install Bro-IDS into /nsm/bro with with the following command ./configure --prefix=/nsm/bro. The following is a complete example of configuring, building, and installing the Bro-IDS application:
~~~
cd bro-2.2
./configure –prefix=/nsm/bro
make
make install
~~~
No errors? Good. now add bro to your PATH.
~~~
export PATH=/nsm/bro/bin:$PATH
~~~
You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.
Configuring Bro-IDS
—
Bro is a powerful tool. For the most basic of installation steps, we will follow the documentation on the project page.
Using your favorite editor modify the following 3 files:
- $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)
- $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )
- $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation
Note: $PREFIX is used to reference the Bro-IDS installation root directory, which by based upon what you set on the ./configure --prefix= to. From the example above replace $PREFIX with /nsm/bro (i.e. nsm/bro/etc/node.cfg)
Configuring the node.cfg file
—
Assuming your system is setup with a single interface, the default node.cfg should be good to go except for possibly changing the sniffing interface. For Example if ifconfig and you see something like the following:
~~~
root@brodemo:/nsm/bro/etc# ifconfig
eth0 Link encap:Ethernet HWaddr 04:01:10:15:fa:01
inet addr:162.243.XXX.XXX Bcast:162.243.XXX.XXX Mask:255.255.255.0
inet6 addr: fe80::601:10ff:fe15:fa01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:998663 errors:0 dropped:0 overruns:0 frame:0
TX packets:27341 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:130635788 (130.6 MB) TX bytes:4043010 (4.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2174 errors:0 dropped:0 overruns:0 frame:0
TX packets:2174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:114442 (114.4 KB) TX bytes:114442 (114.4 KB)
~~~
From this example we see that the system has one interface eth0 and the default configuration should be good with only the following lines uncommented:
~~~
root@brodemo:~# cat /nsm/bro/etc/node.cfg
#
[bro]
type=standalone
host=localhost
interface=eth0
Below is an example clustered configuration. If you use this,
remove the [bro] node above.
#[manager]
#type=manager
#host=host1
#
#[proxy-1]
#type=proxy
#host=host1
#
#[worker-1]
#type=worker
#host=host2
#interface=eth0
#
#[worker-2]
#type=worker
#host=host3
#interface=eth0
#
#[worker-3]
#type=worker
#host=host4
#interface=eth0
~~~
Configuring the networks.cfg file
—
Assuming your system is configured with one network interface as shown above the networks.cfg should be good, as this file is used to configure the local/private networks.
~~~
root@brodemo:~# cat /nsm/bro/etc/networks.cfg
10.0.0.0/8 Private IP space
192.168.0.0/16 Private IP space
~~~
Configuring the broctl.cfg file
—
The broctl.cfg file is where you can configure the recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features.
Step Five - Starting Bro-IDS
—
Next, we need to launch the broctl shell, from where you can execute bro commands. As root type broctl, if you did not set the path as noted above, you can use the execute command via its full path /nsm/bro/bin/broctl
~~~
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)
Welcome to BroControl 1.2
Type "help" for help.
[BroControl] >
~~~
The first command to run, since this is a new installation, is to run install. We will then run start followed by status verify Bro-IDS is running
~~~
[BroControl] > install
warning: cannot read '/nsm/bro/spool/broctl.dat' (this is ok on first run)
creating policy directories … done.
installing site policies … done.
generating standalone-layout.bro … done.
generating local-networks.bro … done.
generating broctl-config.bro … done.
updating nodes … done.
[BroControl] > start
starting bro …
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost running 15837 0 10 Feb 20:57:35
[BroControl] >
~~~
You now have Bro-IDS running on your system. Check out the documentation page for further information.
