Bro is an open-source network analysis framework that focuses on network security monitoring. This is a 15-year study that has been widely used by universities, research labs, supercomputer centers and many open scientific communities. It was developed primarily by the Berkeley International Computer Science Institute and the National Supercomputer Center at the University of Illinois at Urbana-Champaign.
The Bro features include:
Bro scripting language support for site-specific monitoring policies
For high-performance networks
The parser supports many protocols to enable advanced semantic analysis at the application level
It retains rich application-level statistics for the networks it monitors
Bro ability to exchange information in real time with other application interfaces
Its logs provide a comprehensive record of all information and provides an advanced archive of network activity
This tutorial will show you how to build from source code and install Bro on an Ubuntu 16.04 server.
Preparatory work
Bro has many dependent files:
Building from source code also requires:
CMake 2.8+
Make
GCC 4.8+ or Clang 3.3+
SWIG
GNU Bison
Flex
Libpcap headers
OpenSSL headers
Zlib headers
Start
First, install all the required dependencies by executing the following command:
# apt-get Install cmake make gcc g++ flex Bison libpcap-dev Libssl-dev Python-dev Swig Zlib1g-dev
Install a GeoIP database that locates IP locations
Bro uses GeoIP to locate the location. To install the IPV4 and IPV6 versions:
$ wget http://geolite.maxmind.com/download/geoip/database/geolitecity.dat.gz$wget http://geolite.maxmind.com/ Download/geoip/database/geolitecityv6-beta/geolitecityv6.dat.gz
Unzip the two compressed packages:
$ gzip-d geolitecity.dat.gz$ gzip-d GeoLiteCityv6.dat.gz
Move the extracted files to the/usr/share/geoip directory:
# mvgeolitecity.dat/usr/share/geoip/geoipcity.dat# MV Geolitecityv6.dat/usr/share/geoip/geoipcityv6.dat
Now you can build the Bro from the source code.
Build Bro
The latest Bro development version can be obtained from the Git repository.
Execute the following command:
$ git clone--recursive Git://git.bro.org/bro
Go to the cloned directory and use the following command to easily build the Bro:
$ cd Bro $./configure $ make
The make command takes some time to build everything. The exact time depends on the performance of the server.
You can use some parameters to execute the Configure script to specify the dependencies to build, especially the--with-* option.
Installing Bro
Execute in the cloned Bro directory:
# make Install the default installation path is/usr/local/bro.
Configure Bro
The Bro configuration file is located in the/usr/local/bro/etc directory. There are three files:
Node.cfg, which is used to configure a single node (or nodes) to monitor.
The Broctl.cfg,brocontrol configuration file.
A NETWORKS.CGF that contains a list of networks that are represented using CIDR notation.
Configure mail settings
Open the Broctl.cfg configuration file:
# $EDITOR/usr/local/bro/etc/broctl.cfg
View the Mail options option and edit the MailTo line as follows:
# Recipient address for emails sent off by Bro and brocontrolmailto = [email protected]
Save and close. There are many other options, but in most cases, the default value is good enough.
Select the nodes to monitor
Out of the box, the Bro is configured to run in standalone mode. In this tutorial, we are doing a standalone installation, so there is no need to change. However, please also check the node.cfg configuration file:
# $EDITOR/usr/local/bro/etc/node.cfg
In the [Bro] section, you should see something like this:
[Bro]type=standalonehost=localhostinterface=eth0
Make sure that the Inferface matches the public interface of the Ubuntu 16.04 server.
Save and exit.
Configuring networks for monitoring nodes
The last file to be edited is network.cfg. Open it with a text editor:
# $EDITOR/usr/local/bro/etc/networks.cfg
By default, you should see the following:
# List of local networks in CIDR notation, optionally followed by a# descriptive tag.# for example, "10.0.0.0/8" or "FE80:: /64 "is valid prefixes. 10.0.0.0/8 Private IP SPACE172.16.0.0/12 Private IP space192.168.0.0/16 Private IP space
Delete these three entries (this is just an example of how to use this file) and enter the server's public and private IP space in the following format:
x.x.x.x/x Public IP spacex.x.x.x/x Private IP space
Save and exit.
Using Brocontrol to manage Bro installations
Managing Bro requires the use of Brocontrol, which supports both interactive shell and command-line tools. Start the shell:
#/usr/local/bro/bin/broctl
To use command-line tools, you simply pass parameters to the previous command, for example:
#/USR/LOCAL/BRO/BIN/BROCTL Status
This checks the status of the Bro by displaying the following output:
Name Type Host Status Pid startedbro standalone localhost running 6807 12:30:50
Conclusion
This is a Bro installation tutorial. We use source-based installation because it is the most efficient way to get the latest version available, but the network analysis framework can also download prebuilt binary format files.
Installing the Bro Network Analyzer on Ubuntu 16.04