• Subscribe to the low volume list for updates.

Bro-IDS Ubuntu 16.04 Install & Tutorial

Bro is a powerful Intrusion Detection System (IDS) that has a focus on protocol analysis as opposed to the signature based detection employed in Snort and Suricata.

The network flow analysis of Bro IDS is often employed in conjunction with signature based IDS as it complements the detection. Bro is able to be used on high bandwidth networks as it has a very fast analysis engine. Richard Bejtlich author of the excellent "Tao of Network Security Monitoring" and TaoSecurity is a supporter.

bro-ids logo

Now lets get started on the Bro IDS Installation under Ubuntu 16.04

Grab the required packages using apt.

apt install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libgeoip-dev

As you can see we have included the libgeoip-dev package as we are going to configure our installation with GeoIP support.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gzip -d GeoLiteCity.dat.gz
gzip -d GeoLiteCityv6.dat.gz

Now move the GeoIP files over to the default location /usr/share/GeoIP/, we need to rename them to match the location that Bro is expecting.

mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Currently the packaged version of Bro is version 2.4.1 to run the latest version of Bro (2.5.1) you will need to install from source.

Install Bro on Ubuntu from package

sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list"
apt update
apt install bro

Install Bro on Ubuntu from source

Download the source, extract and use the standard configure, make, make install.

wget https://www.bro.org/downloads/bro-2.5.1.tar.gz

tar zxvf bro-2.5.1.tar.gz
cd bro-2.5.1
make install

No errors? Good now add bro to your PATH.

export PATH=/usr/local/bro/bin:$PATH

You can also add PATH=/usr/local/bro/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.

Bro is a powerful tool, to get started quickly we will follow the guide on the project page.

Edit the following files before starting:

$PREFIX/etc/node.cfg  -- configure network interface to monitor
$PREFIX/etc/networks.cfg -- configure local networks
$PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation

To start the program simply enter broctl at a shell.

You are now in the broctl shell, from where you can give bro commands.

[BroControl] >

The first command to run, since this is a new installation is to run install. We will then run start.

[BroControl] > install
warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started              
bro        standalone localhost  running       22165  0      22 Aug 12:31:55

You now have Bro-IDS running on your system. This is just the beginning, check out the guide and follow the white rabbit.

The next part of this experiment in an effective open source security monitoring solution is to integrate Bro with Enterprise log search and archive or ELSA (a new Splunk like logging platform) and my preferred Host IDS client OSSEC.