Bro-IDS Ubuntu 16.04 Install & Tutorial

Bro-ids is a powerful Intrusion Detection System (IDS) that has a focus on protocol analysis as opposed to the signature based detection employed in Snort and Suricata.

The network flow analysis of Bro IDS is often employed in conjunction with signature based IDS as it complements the detection. Bro is able to be used on high bandwidth networks as it has a very fast analysis engine. Richard Bejtlich author of the excellent "Tao of Network Security Monitoring" and TaoSecurity is a supporter.

bro-ids logo

Bro IDS Installation under Ubuntu 16.04

Grab the required packages using apt.

apt install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libgeoip-dev

We have included the libgeoip-dev package as we are going to configure our installation with GeoIP support.

gzip -d GeoLiteCity.dat.gz
gzip -d GeoLiteCityv6.dat.gz

Move the GeoIP files to the default location /usr/share/GeoIP/. Rename them to match the location that Bro is expecting.

mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

At the time of writing the packaged version of Bro is version 2.4.1. To run the latest version of Bro (2.6.1) you will need to install from source.

Install Bro on Ubuntu from package

sh -c "echo 'deb /' > /etc/apt/sources.list.d/bro.list"
apt update
apt install bro

Install Bro on Ubuntu from source

Download the source, extract and use the standard configure, make, make install.


tar zxvf bro-2.6.1.tar.gz
cd bro-2.6.1
make install

No errors? Good now add bro to your PATH.

export PATH=/usr/local/bro/bin:$PATH

You can also add PATH=/usr/local/bro/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.

Bro is a powerful tool, to get started we will follow the guide on the project page.

Edit the following files before starting:

$PREFIX/etc/node.cfg  -- configure network interface to monitor
$PREFIX/etc/networks.cfg -- configure local networks
$PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation

To start - enter broctl at a shell.

You are now in the broctl shell, from where you can give bro commands.

[BroControl] >

Since this is a new installation we run install. Then run start.

[BroControl] > install
warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started              
bro        standalone localhost  running       22165  0      22 Aug 12:31:55

You now have Bro-IDS running on your system. This is just the beginning, check out the guide and follow the white rabbit.

The next part of this experiment in an effective open source security monitoring solution is to integrate Bro with Enterprise log search and archive or ELSA (a new Splunk like logging platform) and my preferred Host IDS client OSSEC.
BRO-IDS has had a name change. Quote from "..Zeek is the new name for the long-established Bro system. Note that parts of the system retain the "Bro" name, and it also often appears in the documentation and distributions.."
Zeek logo

Next Level Your Technical Network Intelligence

Use Cases and More Info

  • 13 Vulnerability Scanners
  • 17 Free DNS & Network Tools
  • 4+ Billion Records of DNS / IP data