How to Install and Configure Bro on Ubuntu Linux



Synopsis

Bro is a free open source Unix based network analysis framework started by Vern Paxson.
Bro provides a comprehensive platform for collecting network measurements, conducting forensic investigations and traffic baselining. Bro comes with powerful analysis engine which makes it powerful intrusion detection system and network analysis framework.

Bro comes with a powerful set of features, some of them are listed below:

  • Runs on commodity hardware and supports Linux, FreeBSD and MacOS.
  • Real-time and offline analysis.
  • Support clustering for large-scale deployments.
  • Ability to monitor traffic in a very high performance environment.
  • Comprehensive logging of activity for offline analysis and forensics.
  • Supports many protocols such as, DNS, FTP, HTTP, IRC, SMTP, SSH, SSL.

In this tutorial, we will explain how to install and configure BRO IDS on Ubuntu Linux.

System Requirements

  • Ubuntu 16.04 server installed to your server.
  • Static IP address 192.168.15.189 setup on your server.

Update the System

Before starting, it is recommended to update your system with the latest version.

First, log in to root user and update your system with the following command:

apt-get update -y
apt-get upgrade -y

After updating your system, restart your system.

Install Required Dependencies

Before starting, Bro requires some dependencies install to your system. You can install all of them with the following command:

sudo apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev -y

You will also need to install GeoIP to your system. You can install it with the following command:

apt-get install libgeoip-dev -y

Next, download the GeoIP database with the following command:

cd /user/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Next, extract the downloaded database with the following command:

gunzip GeoLiteCity*

Next, rename the both files to GeoIPCity.dat and GeoIPCityv6.dat respectively:

mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCity.dat

Install Bro-IDS

First, download the latest version of the Bro-IDS source from their website. You can do this with the following command:

wget http://www.bro.org/downloads/release/bro-2.4.1.tar.gz

Next, change the directory to bro-2.4.1 and compile it with the following command:

cd bro-2.4.1
mkdir /opt/bro
./configure --prefix=/opt/bro
make
make install

Once the Bro-IDS is installed, adjust your PATH environment with the following command:

export PATH=/opt/bro/bin:$PATH

You will also need to add path to your ~/.profile file in your home directory to make the change permanent.

nano ~/.profile

Add the following line:

PATH=/opt/bro/bin:$PATH

Configure Bro-IDS

By default, bro configurations files are located at /opt/bro/etc/ directory. First, you will need to specify the network interface which you want to monitor.

You can do this by editing /opt/bro/etc/node.cfg file:

nano /opt/bro/etc/node.cfg

Specify network interface as per your need as shown below:

[bro]
type=standalone
host=localhost
interface=eth0

Save and close the file.

Next, you will need to specify the private IP range which you want to monitor. You can do this by editing /opt/bro/etc/networks.cfg file:

nano /opt/bro/etc/networks.cfg

Specify the IP address range as per your need as shown below:

192.168.15.0/24          Private IP space
192.168.0.0/16      Private IP space

Save and close the file when you are finished.

Next, you will need to start Bro service.

Bro service is managed by BroControl, so you will need to install it first. You can install it with the following command:

broctl install

You should see the following output:

creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...

Finally, start Bro service with the following command:

broctl start

Next, you will need to add Bro service at system startup. You can do this by editing /etc/rc.local file:

nano /etc/rc.local

Add the following line:

/opt/bro/bin/broctl start

Save the file when you are finished.

You can check the status of Bro service with the following command:

broctl status

When all is well, you can check the Bro log file and observe Bro logs streaming in real time.

First, on the remote machine, run the Nmap port scan against your server with the following command:

nmap -PN -sS 192.168.15.189

Next, on the server machine, check the log file with the following command:

tail -f /opt/bro/logs/current/notice.log

You should see the following output:

#path	notice
#open	2017-06-11-08-38-44
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
1497150524.430742	-	-	-	-	-	-	-	-	-	Scan::Port_Scan	192.168.15.196 scanned at least 15 unique ports of host 192.168.15.189 in 0m0s	local	192.168.15.196	192.168.15.189	-	-	bro	Notice::ACTION_LOG	3600.000000	F-	-	-	-	-
tail -f /opt/bro/logs/current/conn.log

You should see the following output:

1497150746.206183	CBjGd54nEnYOYOYGV8	192.168.15.196	52232	192.168.15.189	1026	tcp	-	0.000015	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206241	CPXg8OhTmd6FLIqe4	192.168.15.196	52232	192.168.15.189	3914	tcp	-	0.000015	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206299	Cu0Bk92eLHWLOEGJQ1	192.168.15.196	52232	192.168.15.189	1069	tcp	-	0.000007	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206386	CGdIJu1yRfjtHXuHA6	192.168.15.196	52232	192.168.15.189	9900	tcp	-	0.000016	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206445	CrS26a1maFEZPcxL9	192.168.15.196	52232	192.168.15.189	5988	tcp	-	0.000016	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206531	CciTaZF47VJzASOt3	192.168.15.196	52232	192.168.15.189	1187	tcp	-	0.000017	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206585	Cn0bnZ1icKr99yXn31	192.168.15.196	52232	192.168.15.189	4998	tcp	-	0.000064	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206700	Czp8ek1iUu0eapTti7	192.168.15.196	52232	192.168.15.189	9535	tcp	-	0.000017	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150746.206762	C2Q5sjkJIHCJdApod	192.168.15.196	52232	192.168.15.189	8085	tcp	-	0.000017	0	0	REJ	TT	0	Sr	1	44	1	40	(empty)
1497150692.364924	C4oQWQ2mWrrblFrfzl	fe80::5cd9:ddff:fef4:fc77	135	fe80::a00:27ff:fe7c:5b40	136	icmp	-	0.000044	24	16	OTH	F	F	0	-	1	72	1	64	(empty)
^C

Conclusion

Congratulations! you have successfully installed Bro-IDS to your server. You can now easily capture packet and inspect traffic of your network.

References


Comments

No comments yet. Be the first to chime in!