The network flow analysis of Bro IDS is often employed in conjunction with signature based IDS as it complements the detection. Bro is able to be used on high bandwidth networks as it has a very fast analysis engine. Richard Bejtlich author of the excellent "Tao of Network Security Monitoring" and TaoSecurity is a supporter.
Bro IDS Installation under Ubuntu 16.04
Grab the required packages using apt.
apt install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libgeoip-dev
We have included the
libgeoip-dev package as we are going to configure our installation with GeoIP support.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz gzip -d GeoLiteCity.dat.gz gzip -d GeoLiteCityv6.dat.gz
Move the GeoIP files to the default location
/usr/share/GeoIP/. Rename them to match the location that Bro is expecting.
mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
At the time of writing the packaged version of Bro is version 2.4.1. To run the latest version of Bro (2.6.1) you will need to install from source.
Install Bro on Ubuntu from package
sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list" apt update apt install bro
Install Bro on Ubuntu from source
Download the source, extract and use the standard configure, make, make install.
wget https://www.bro.org/downloads/bro-2.6.1.tar.gz tar zxvf bro-2.6.1.tar.gz cd bro-2.6.1 ./configure make make install
No errors? Good now add bro to your PATH.
You can also add
PATH=/usr/local/bro/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.
Bro is a powerful tool, to get started we will follow the guide on the project page.
Edit the following files before starting:
$PREFIX/etc/node.cfg -- configure network interface to monitor $PREFIX/etc/networks.cfg -- configure local networks $PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation
To start - enter broctl at a shell.
You are now in the broctl shell, from where you can give bro commands.
Since this is a new installation we run install. Then run start.
[BroControl] > install warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run) creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > start starting bro ... [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 22165 0 22 Aug 12:31:55
You now have Bro-IDS running on your system. This is just the beginning, check out the guide and follow the white rabbit.
BRO-IDS has had a name change. Quote from https://www.zeek.org "..Zeek is the new name for the long-established Bro system. Note that parts of the system retain the "Bro" name, and it also often appears in the documentation and distributions.."
New vulnerabilities are discovered in software on a daily basis.
Identify your vulnerability scanner requirement.
Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.