Bro is a powerful Intrusion Detection System (IDS) that has a focus on protocol analysis as opposed to the signature based detection employed in Snort and Suricata.
The network flow analysis of Bro IDS is often employed in conjunction with signature based IDS as it complements the detection. Bro is able to be used on high bandwidth networks as it has a very fast analysis engine. Richard Bejtlich author of the excellent "Tao of Network Security Monitoring" and TaoSecurity is a supporter.
Now lets get started on the Bro IDS Installation under Ubuntu 16.04
Grab the required packages using apt.
apt install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libgeoip-dev
As you can see we have included the
libgeoip-dev package as we are going to configure our installation with GeoIP support.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz gzip -d GeoLiteCity.dat.gz gzip -d GeoLiteCityv6.dat.gz
Now move the GeoIP files over to the default location
/usr/share/GeoIP/, we need to rename them to match the location that Bro is expecting.
mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Currently the packaged version of Bro is version 2.4.1 to run the latest version of Bro (2.5.1) you will need to install from source.
Install Bro on Ubuntu from package
sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list" apt update apt install bro
Install Bro on Ubuntu from source
Download the source, extract and use the standard configure, make, make install.
wget https://www.bro.org/downloads/bro-2.5.1.tar.gz tar zxvf bro-2.5.1.tar.gz cd bro-2.5.1 ./configure make make install
No errors? Good now add bro to your PATH.
You can also add PATH=/usr/local/bro/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.
Bro is a powerful tool, to get started quickly we will follow the guide on the project page.
Edit the following files before starting:
$PREFIX/etc/node.cfg -- configure network interface to monitor $PREFIX/etc/networks.cfg -- configure local networks $PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation
To start the program simply enter broctl at a shell.
You are now in the broctl shell, from where you can give bro commands.
The first command to run, since this is a new installation is to run install. We will then run start.
[BroControl] > install warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run) creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > start starting bro ... [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 22165 0 22 Aug 12:31:55
You now have Bro-IDS running on your system. This is just the beginning, check out the guide and follow the white rabbit.
[box]The next part of this experiment in an effective open source security monitoring solution is to integrate Bro with Enterprise log search and archive or ELSA (a new Splunk like logging platform) and my preferred Host IDS client OSSEC.[/box]