Bro-IDS installation in Ubuntu 12.04

Bro is a well regarded Intrusion Detection System (IDS) that I have always wanted to play with. In this guide I will install and get started with an install of Bro-IDS on Ubuntu.

The detection focus of Bro IDS is more network flow rather than signature based and does not get the same attention as Snort or Suricata. In many installations where network defence is taken seriously Bro actually runs alongside Snort. Richard Bejtlich of TaoSecurity is fan, here is a video introduction.

Now lets get started on the Bro IDS Installation under Ubuntu 12.04

Grab the required packages with apt-get.

apt-get install libncurses5-dev g++ bison flex libmagic-dev libgeoip-dev libssl-dev build-essential python-dev libpcap-dev cmake swig2.0 libssl0.9.8

Some of these packages I already had installed, but it does not hurt to list all the requirements; apt-get will grab the missing ones and install them for us.

Now we will download bro-ids, we will download and install from source; they have a stable version 2.0 available for Debian 64 bit however there is a dependency issue.

So grab the source tarball, extract and install.


tar zxvf bro-2.0.tar.gz
cd bro-2.0
./configure --prefix=/opt/bro2
make install

No errors? Good now add bro to your PATH.

export PATH=/opt/bro2/bin:$PATH

You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.

Bro is a powerful tool, for the most basic of installation steps we will follow the guide on the project page.

Edit the following files before starting:

$PREFIX/etc/node.cfg  -- configure network interface to monitor
$PREFIX/etc/networks.cfg -- configure local networks
$PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation

To start the program simply enter broctl at a shell.

You are now in the broctl shell, from where you can give bro commands.

[BroControl] >

The first command to run, since this is a new installation is to run install. We will then run start.

[BroControl] > install
warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started              
bro        standalone localhost  running       22165  0      22 Aug 12:31:55

You now have Bro-IDS running on your system. Woo hoo. This is just the beginning, check out the guide and follow the white rabbit.

The next part of this experiment in an effective open source security monitoring solution is to integrate Bro with Enterprise log search and archive or ELSA (a new Splunk like logging platform) and my preferred Host IDS client OSSEC.

, ,

3 Responses to Bro-IDS installation in Ubuntu 12.04

  1. Joakim Wahlgren January 7, 2013 at 2:31 pm #

    Thanks for the tutorial, very useful to get started with Bro IDS on Ubuntu 12.04 server. Keep up the good work with this website!

  2. Ardan July 24, 2013 at 12:52 am #

    need help , when i try

    root@localhost:~/file# broctl
    Traceback (most recent call last):
    File “/opt/bro2/bin/broctl”, line 871, in
    Config = config.Configuration(os.path.join(BroCfgDir, “broctl.cfg”), BroBase, Version)
    File “/opt/bro2/lib/broctl/BroControl/”, line 63, in __init__
    self._setOption(“time”, output[0].lower().strip())
    IndexError: list index out of range

    any solution for this issue 🙂


  1. ngrep and tcpflow - packet capture on a shoestring | - May 8, 2013

    […] POP3, SMTP, IRC, DNS and HTTP are just a few possibilities. On a related note the excellent bro (no longer bro-ids) performs excellent flow analysis and is a tool worth investigating if you are […]