Bro is a simple yet effective open source analysis and security tool for the network. It combines the best features of osquery and OSSEC in a single comprehensive package. Bro is sufficient for behavior as well as signature based detection and analysis. There is a lot that one can accomplish with the power and versatility of the Bro, some of the salient features of Bro are listed below and in this guide, we will teach you how to install Bro on Ubuntu 16.04.
It is capable of detecting brute force nature attacks on Network including FTP and SSH
Has the ability to monitor and analyze HTTP traffic
It also monitors the installed software for any unwarranted changes
Has the ability to perform TLS/SSL validation
It is highly capable of detecting SQL injection threats
Bro is also capable of monitoring and maintaining the integrity of all files
Provide activity, crash, and other handy summaries through emails
Can perform in a standalone setting without much intervention from network administrator
When you install Bro on Ubuntu you can either do so through a source or a package manager. The Source installation is a bit more complicated but it comes with added features like IP geolocation provided that the geolocation library is installed before compilation. Bro also gives access to more commands in form of broct1 & bro. The Broct1 is a highly effective way to interact and manage distributed bro installations while the Bro command can be used to trace, analyze or manage different files along with live traffic. In this step by step guide, we would help you install Bro on Ubuntu in standalone mode. Below are the steps we will cover:
What do you need to install and configure Bro on Ubuntu?
You would need the following to install bro on Ubuntu 16.04
Ubuntu 16.04 Server with a fully installed and activated firewall
A user account with Sudo Privileges or administrative rights.
1 GB of minimum memory
Postfix as a Send Only transfer agent (Optional but recommended for receiving email alerts)
Once you have set up all of the above you are ready to setup Bro on your Ubuntu server.
Dependencies to install Bro on Ubuntu 16.04
Before the Bro’s installation can run on your system you need to setup its dependencies. Failure to do this can cause errors in the later parts of the Bro installation. Use the following command to do update the bro’s package database
$ Sudo apt-get update
Bro requires a number of dependencies in order to install and function properly these include Libcap, CMake, Bison, SWIG, C/C++ compiler, Python 2.6 & BIND8.
The following command can be used to download and install all of these dependencies at once.
Once the download and installation are complete you need to download the Geolocation database that Bro would be using for IP Geolocation.
In this step, we would be downloading a GeoIP database which would be utilized by Bro for IP geolocation. You would need to download two sets of compressed files that contain IPV6 and IPV4 databases. The download is available at this link, although a newer version of this database has been released it is not supported by Bro yet. Once they are downloaded decompress and move them to the following location.
Use the following commands to download the databases
We have downloaded all the prerequisites now we are finally moving towards the installation of Bro itself.
Install bro on Ubuntu from Source
First, you need to copy the repository from GitHub to start the installation from the source. The GitHub is present on Ubuntu by default. Use the following command to clone the repository to a new directory (Bro).
$ git clone --recursive git://git.bro.org/bro
Move into the newly created Bro directory
$ cd bro
Use the following command to start the Bro’s configuration process which should not take more than a minute or two
$ . /configure
Then use the “make” command to build the Bro’s installation. It should take approximately 20 minutes or lesser depending on your server’s overall speed
The completion bar would pop on your screen. Once it finishes you are ready to install Bro. Use the following command to initiate the Bro’s installation which should complete in a minute or so.
$ sudo make install
Bro is installed in the /Usr/Local/bro directory by default. In the next step, we need to ensure that it will be available globally. To accomplish that we need to add the address of installation directory in your $PATH. Simply specify the path in a new file under /etc/profile.d directory. For this tutorial’s purpose, we would name it 3rd-party.sh.
You can use any text editor but it is highly recommended to go for Nano. Create a file and open it
$ sudo nano /etc/profile.d/3rd-party.sh
Copy and paste the following commands into it. The first line explains the purpose of the command while the second line adds the directory’s path for the user in question.
# Expand PATH to include the path to Bro's binaries
Save and close the file then activate the changes using the following command:
$ Source /etc/profile.d/3rd-party.sh
Sometimes the changes in setting do not take effect properly, log in and log out multiple times to ensure that the settings have changed and are loading correctly. Once you are done with this your bro installation is complete, now all that’s left to do is to configure it.
Configuring Bro on Ubuntu
In this step, we would tweak a few settings to ensure that Bro works flawlessly. All the files that need to be edited are located in /usr/local/bro/etc.
Below we provide a brief list of different files and their purpose:
cfg : it configures different nodes that need to be monitored
Networks.cf: it contains the list of networks under CIDR Notation that are local.
cfg: it contains the configurations for logging, emails, and numerous settings.
There are a few things that need to be modified in each of the files listed above.
Configuring Nodes Monitor
By default, Bro is set to operate in standalone mode without requiring much intervention from the network administrator. The default settings don’t require much change but it’s always a good idea to check whether everything is in order.
First open the file using the following command
$ sudo nano /usr/local/bro/etc/node.cfg
Find the “interface” parameter under the bro section. By default, it should be “etho0”. If it isn’t, then update it. The entire command line should look something like this:
Save and close the file and you are done with this step. In the next step, we would setup private networks belonging to the node.
Node’s Private Network Setup
The Network.cfg file contains the best settings for the Networks that the node belong to. Open the file using the following command:
$ sudo nano /usr/local/bro/etc/networks.cfg
By default, this file contains three Private IP block examples. You need to delete these example entries and then add your own. Use the “ip addr show” to determine the IP address of your server. Then enter the IP addresses as per the format in the examples. The final file should look something like this:
203.0.113.0/24 Public IP space198.51.100.0/24 Private IP space
Loggin & Mail Settings
The Broctl.cfg is the file that contains the settings for emails and logins. Most of the settings don’t need to be changed, you only need to add the email address where you wish to receive the messages.
First, open the file
$ sudo nano /usr/local/bro/etc/broctl.cfg
Find the line #Mail options and change the email address against the “MailTo” with the one that you wish to receive the emails on.
Mailto = ABC@Example.com
Save and Close the file once you made the required changes. In the next steps, we would take you through the basics of managing Bro using BroControl.
There are multiple functions that you can perform with BroControl. It is a handy tool that can be used to stop/start services, handle different management tasks, deploying bro, and a few other functions. It provides interactive shell as well as command line tools.
Use the following command to initiate the interactive shell
$ Sudo /usr/local/bro/bin/broctl
But it is better to initiate the BroControl in command line mode. Use the following command to initiate BroControl and configure all the files needed for smooth operation
$ sudo /usr/local/bro/bin/broctl deploy
If you have followed everything correctly then the BroControl should load up but if it fails then it would also provide the reason for not initiating. It is common to see mail related errors in Bro despite having an MTA installed. If you encounter such an error simply add an entry under SendMail in mail option section:
Once you have added the entry you need to redeploy (Sudo /usr/local/bro/bin/broctl) Bro for the settings to take effect.
By default, bro does not have any system management file. The Cron script is usually used for this purpose. It can perform multiple performance and analysis related tasks from checking disk space to generating crash reports.
Cron is usually enabled out of the box but a tool called cron Job needs to be installed so that the script can be triggered. First, you need to install the cron package file in the following directory
Use the following command to edit the file
$ sudo nano /etc/cron.d/bro
Add the following entry it would trigger the script after every 5 minutes and would whether bro is running or needs to be restarted.
*/5 * * * * root /usr/local/bro/bin/broctl cron
The “5” in above command refers to the time that needs to elapse before the script is triggered again. If you want the script to trigger more often than change this time accordingly. Save and close the file to complete the configuration. If you have setup the Cron perfectly then it should send you activity report and also restart cron if it crashes.
This guide has thoroughly covered all that you need to know in order to install, configure, and initiate bro for your server. Bro also offers Bro and Broctrl commands to monitor live traffic or carry out different analysis tasks. If you have followed this tutorial closely then Bro should be installed on your network and running smoothly.
Oskar Edin runs a web development company in Sweden, Northern Web, where he constantly works and learns new things which he later on shares with the community, here at CodeEnlightened.com. When he is not working you probably find him in his car driving around or hanging around with friends.