Bro is a well regarded Intrusion Detection System (IDS) that I have always wanted to play with. In this guide I will install and get started with an install of Bro-IDS on Ubuntu.
The detection focus of Bro IDS is more network flow rather than signature based and does not get the same attention as Snort or Suricata. In many installations where network defence is taken seriously Bro actually runs alongside Snort. Richard Bejtlich of TaoSecurity is fan, here is a video introduction.
Now lets get started on the Bro IDS Installation under Ubuntu 12.04
Grab the required packages with apt-get.
apt-get install libncurses5-dev g++ bison flex libmagic-dev libgeoip-dev libssl-dev build-essential python-dev libpcap-dev cmake swig2.0 libssl0.9.8
Some of these packages I already had installed, but it does not hurt to list all the requirements; apt-get will grab the missing ones and install them for us.
Now we will download bro-ids, we will download and install from source; they have a stable version 2.0 available for Debian 64 bit however there is a dependency issue.
So grab the source tarball, extract and install.
wget http://www.bro-ids.org/downloads/release/bro-2.0.tar.gz tar zxvf bro-2.0.tar.gz cd bro-2.0 ./configure --prefix=/opt/bro2 make make install
No errors? Good now add bro to your PATH.
You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.
Bro is a powerful tool, for the most basic of installation steps we will follow the guide on the project page.
Edit the following files before starting:
$PREFIX/etc/node.cfg -- configure network interface to monitor $PREFIX/etc/networks.cfg -- configure local networks $PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation
To start the program simply enter broctl at a shell.
You are now in the broctl shell, from where you can give bro commands.
The first command to run, since this is a new installation is to run install. We will then run start.
[BroControl] > install warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run) creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > start starting bro ... [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 22165 0 22 Aug 12:31:55
You now have Bro-IDS running on your system. Woo hoo. This is just the beginning, check out the guide and follow the white rabbit.