How to install Bro on Ubuntu 16.04

Introduction: install Bro on Ubuntu 16.04

Bro is a simple yet effective open source analysis and security tool for the network. It combines the best features of osquery and OSSEC in a single comprehensive package. Bro is sufficient for behavior as well as signature based detection and analysis. There is a lot that one can accomplish with the power and versatility of the Bro, some of the salient features of Bro are listed below and in this guide, we will teach you how to install Bro on Ubuntu 16.04.

  • It is capable of detecting brute force nature attacks on Network including FTP and SSH
  • Has the ability to monitor and analyze HTTP traffic
  • It also monitors the installed software for any unwarranted changes
  • Has the ability to perform TLS/SSL validation
  • It is highly capable of detecting SQL injection threats
  • Bro is also capable of monitoring and maintaining the integrity of all files
  • Provide activity, crash, and other handy summaries through emails
  • Can perform in a standalone setting without much intervention from network administrator

When you install Bro on Ubuntu you can either do so through a source or a package manager. The Source installation is a bit more complicated but it comes with added features like IP geolocation provided that the geolocation library is installed before compilation. Bro also gives access to more commands in form of broct1 & bro. The Broct1 is a highly effective way to interact and manage distributed bro installations while the Bro command can be used to trace, analyze or manage different files along with live traffic. In this step by step guide, we would help you install Bro on Ubuntu in standalone mode. Below are the steps we will cover:

Install Bro On Ubuntu 16.04

What do you need to install and configure Bro on Ubuntu?

You would need the following to install bro on Ubuntu 16.04

  • Ubuntu 16.04 Server with a fully installed and activated firewall
  • A user account with Sudo Privileges or administrative rights.
  • 1 GB of minimum memory
  • Postfix as a Send Only transfer agent (Optional but recommended for receiving email alerts)

Once you have set up all of the above you are ready to setup Bro on your Ubuntu server.

Dependencies to install Bro on Ubuntu 16.04

Before the Bro’s installation can run on your system you need to setup its dependencies. Failure to do this can cause errors in the later parts of the Bro installation. Use the following command to do update the bro’s package database

$ Sudo apt-get update

Bro requires a number of dependencies in order to install and function properly these include Libcap, CMake, Bison, SWIG, C/C++ compiler, Python 2.6 & BIND8.

The following command can be used to download and install all of these dependencies at once.

 $ sudo apt-get install bison cmake flex g++ gdb make libmagic-dev libpcap-dev libgeoip-dev libssl-dev python-dev swig2.0 zlib1g-dev

Once the download and installation are complete you need to download the Geolocation database that Bro would be using for IP Geolocation.

GeoIP Database

In this step, we would be downloading a GeoIP database which would be utilized by Bro for IP geolocation. You would need to download two sets of compressed files that contain IPV6 and IPV4 databases. The download is available at this link, although a newer version of this database has been released it is not supported by Bro yet. Once they are downloaded decompress and move them to the following location.

/usr/share/GeoIP

Use the following commands to download the databases

$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Then use the following commands to rename and move the both Database packages to the directory specified above:

$ sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

$ sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

We have downloaded all the prerequisites now we are finally moving towards the installation of Bro itself.

Install bro on Ubuntu from Source

First, you need to copy the repository from GitHub to start the installation from the source. The GitHub is present on Ubuntu by default. Use the following command to clone the repository to a new directory (Bro).

$ git clone --recursive git://git.bro.org/bro

Move into the newly created Bro directory

$ cd bro

Use the following command to start the Bro’s configuration process which should not take more than a minute or two

 $ . /configure

Then use the “make” command to build the Bro’s installation. It should take approximately 20 minutes or lesser depending on your server’s overall speed

$ make

The completion bar would pop on your screen. Once it finishes you are ready to install Bro. Use the following command to initiate the Bro’s installation which should complete in a minute or so.

$ sudo make install

Bro is installed in the /Usr/Local/bro directory by default. In the next step, we need to ensure that it will be available globally. To accomplish that we need to add the address of installation directory in your $PATH. Simply specify the path in a new file under /etc/profile.d directory. For this tutorial’s purpose, we would name it 3rd-party.sh.

You can use any text editor but it is highly recommended to go for Nano. Create a file and open it

$ sudo nano /etc/profile.d/3rd-party.sh

Copy and paste the following commands into it. The first line explains the purpose of the command while the second line adds the directory’s path for the user in question.

# Expand PATH to include the path to Bro's binaries

export PATH=$PATH:/usr/local/bro/bin

Save and close the file then activate the changes using the following command:

$ Source /etc/profile.d/3rd-party.sh

Sometimes the changes in setting do not take effect properly, log in and log out multiple times to ensure that the settings have changed and are loading correctly. Once you are done with this your bro installation is complete, now all that’s left to do is to configure it.

Configuring Bro on Ubuntu

In this step, we would tweak a few settings to ensure that Bro works flawlessly. All the files that need to be edited are located in /usr/local/bro/etc.

Below we provide a brief list of different files and their purpose:

  • cfg : it configures different nodes that need to be monitored
  • Networks.cf: it contains the list of networks under CIDR Notation that are local.
  • cfg: it contains the configurations for logging, emails, and numerous settings.

There are a few things that need to be modified in each of the files listed above.

Configuring Nodes Monitor

By default, Bro is set to operate in standalone mode without requiring much intervention from the network administrator. The default settings don’t require much change but it’s always a good idea to check whether everything is in order.

First open the file using the following command

$ sudo nano /usr/local/bro/etc/node.cfg

Find the “interface” parameter under the bro section. By default, it should be “etho0”. If it isn’t, then update it. The entire command line should look something like this:

[bro]

type=standalone

host=localhost

interface=eth0

Save and close the file and you are done with this step. In the next step, we would setup private networks belonging to the node.

Node’s Private Network Setup

The Network.cfg file contains the best settings for the Networks that the node belong to. Open the file using the following command:

$ sudo nano /usr/local/bro/etc/networks.cfg

By default, this file contains three Private IP block examples. You need to delete these example entries and then add your own. Use the “ip addr show” to determine the IP address of your server. Then enter the IP addresses as per the format in the examples. The final file should look something like this:

203.0.113.0/24          Public IP space198.51.100.0/24         Private IP space

Loggin & Mail Settings

The Broctl.cfg is the file that contains the settings for emails and logins. Most of the settings don’t need to be changed, you only need to add the email address where you wish to receive the messages.

First, open the file

$ sudo nano /usr/local/bro/etc/broctl.cfg

Find the line #Mail options and change the email address against the “MailTo” with the one that you wish to receive the emails on.

Mailto = ABC@Example.com

Save and Close the file once you made the required changes. In the next steps, we would take you through the basics of managing Bro using BroControl.

BroControl

There are multiple functions that you can perform with BroControl. It is a handy tool that can be used to stop/start services, handle different management tasks, deploying bro, and a few other functions. It provides interactive shell as well as command line tools.

Use the following command to initiate the interactive shell

$ Sudo /usr/local/bro/bin/broctl

But it is better to initiate the BroControl in command line mode. Use the following command to initiate BroControl and configure all the files needed for smooth operation

$ sudo /usr/local/bro/bin/broctl deploy

If you have followed everything correctly then the BroControl should load up but if it fails then it would also provide the reason for not initiating. It is common to see mail related errors in Bro despite having an MTA installed. If you encounter such an error simply add an entry under SendMail in mail option section:

. . .# Added for SendmailSendMail = /usr/sbin/sendmail ################################################ Logging Options. . .

Once you have added the entry you need to redeploy (Sudo /usr/local/bro/bin/broctl) Bro  for the settings to take effect.

Cron Configuration

By default, bro does not have any system management file. The Cron script is usually used for this purpose. It can perform multiple performance and analysis related tasks from checking disk space to generating crash reports.

Cron is usually enabled out of the box but a tool called cron Job needs to be installed so that the script can be triggered. First, you need to install the cron package file in the following directory

/etc/cron.d/

Use the following command to edit the file

$ sudo nano /etc/cron.d/bro

Add the following entry it would trigger the script after every 5 minutes and would whether bro is running or needs to be restarted.

*/5 * * * * root /usr/local/bro/bin/broctl cron

The “5” in above command refers to the time that needs to elapse before the script is triggered again. If you want the script to trigger more often than change this time accordingly. Save and close the file to complete the configuration. If you have setup the Cron perfectly then it should send you activity report and also restart cron if it crashes.

Conclusion

This guide has thoroughly covered all that you need to know in order to install, configure, and initiate bro for your server. Bro also offers Bro and Broctrl commands to monitor live traffic or carry out different analysis tasks. If you have followed this tutorial closely then Bro should be installed on your network and running smoothly.

Leave a Reply