Installing the Bro Network Analyzer on Ubuntu 16.04

Bro is an open-source network analysis framework that focuses on network security monitoring. This is a 15-year study that has been widely used by universities, research labs, supercomputer centers and many open scientific communities. It was developed primarily by the Berkeley International Computer Science Institute and the National Supercomputer Center at the University of Illinois at Urbana-Champaign.

The Bro features include:

• Bro scripting language support for site-specific monitoring policies

• For high-performance networks

• The parser supports many protocols to enable advanced semantic analysis at the application level

• It retains rich application-level statistics for the networks it monitors

• Bro ability to exchange information in real time with other application interfaces

• Its logs provide a comprehensive record of all information and provides an advanced archive of network activity

This tutorial will show you how to build from source code and install Bro on an Ubuntu 16.04 server.

Preparatory work

Bro has many dependent files:

• Libpcap

• OpenSSL Library

• BIND8 Library

• Libz

• Bash (required by Brocontrol)

• Python 2.6+ (required by Brocontrol)

Building from source code also requires:

• CMake 2.8+

• Make

• GCC 4.8+ or Clang 3.3+

• SWIG

• GNU Bison

• Flex

• Libpcap headers

• OpenSSL headers

• Zlib headers

Start

First, install all the required dependencies by executing the following command:

# apt-get Install cmake make gcc g++ flex Bison libpcap-dev Libssl-dev Python-dev Swig Zlib1g-dev

Install a GeoIP database that locates IP locations

Bro uses GeoIP to locate the location. To install the IPV4 and IPV6 versions:

$ wget http://geolite.maxmind.com/download/geoip/database/geolitecity.dat.gz$wget http://geolite.maxmind.com/ Download/geoip/database/geolitecityv6-beta/geolitecityv6.dat.gz

Unzip the two compressed packages:

$ gzip-d geolitecity.dat.gz$ gzip-d GeoLiteCityv6.dat.gz

Move the extracted files to the/usr/share/geoip directory:

# mvgeolitecity.dat/usr/share/geoip/geoipcity.dat# MV Geolitecityv6.dat/usr/share/geoip/geoipcityv6.dat

Now you can build the Bro from the source code.

Build Bro

The latest Bro development version can be obtained from the Git repository.

Execute the following command:

$ git clone--recursive Git://git.bro.org/bro

Go to the cloned directory and use the following command to easily build the Bro:

$ cd Bro $./configure $ make

The make command takes some time to build everything. The exact time depends on the performance of the server.

You can use some parameters to execute the Configure script to specify the dependencies to build, especially the--with-* option.

Installing Bro

Execute in the cloned Bro directory:

# make Install the default installation path is/usr/local/bro.

Configure Bro

The Bro configuration file is located in the/usr/local/bro/etc directory. There are three files:

Node.cfg, which is used to configure a single node (or nodes) to monitor.

The Broctl.cfg,brocontrol configuration file.

A NETWORKS.CGF that contains a list of networks that are represented using CIDR notation.

Configure mail settings

Open the Broctl.cfg configuration file:

# $EDITOR/usr/local/bro/etc/broctl.cfg

View the Mail options option and edit the MailTo line as follows:

# Recipient address for emails sent off by Bro and brocontrolmailto = [email protected]

Save and close. There are many other options, but in most cases, the default value is good enough.

Select the nodes to monitor

Out of the box, the Bro is configured to run in standalone mode. In this tutorial, we are doing a standalone installation, so there is no need to change. However, please also check the node.cfg configuration file:

# $EDITOR/usr/local/bro/etc/node.cfg

In the [Bro] section, you should see something like this:

[Bro]type=standalonehost=localhostinterface=eth0

Make sure that the Inferface matches the public interface of the Ubuntu 16.04 server.

Save and exit.

Configuring networks for monitoring nodes

The last file to be edited is network.cfg. Open it with a text editor:

# $EDITOR/usr/local/bro/etc/networks.cfg

By default, you should see the following:

# List of local networks in CIDR notation, optionally followed by a# descriptive tag.# for example, "10.0.0.0/8" or "FE80:: /64 "is valid prefixes. 10.0.0.0/8 Private IP SPACE172.16.0.0/12 Private IP space192.168.0.0/16 Private IP space

Delete these three entries (this is just an example of how to use this file) and enter the server's public and private IP space in the following format:

x.x.x.x/x Public IP spacex.x.x.x/x Private IP space

Save and exit.

Using Brocontrol to manage Bro installations

Managing Bro requires the use of Brocontrol, which supports both interactive shell and command-line tools. Start the shell:

#/usr/local/bro/bin/broctl

To use command-line tools, you simply pass parameters to the previous command, for example:

#/USR/LOCAL/BRO/BIN/BROCTL Status

This checks the status of the Bro by displaying the following output:

Name Type Host Status Pid startedbro standalone localhost running 6807 12:30:50

Conclusion

This is a Bro installation tutorial. We use source-based installation because it is the most efficient way to get the latest version available, but the network analysis framework can also download prebuilt binary format files.

Installing the Bro Network Analyzer on Ubuntu 16.04