How to Install Bro on Ubuntu 16.04

Bro is an open-source network analysis framework and security monitoring application. It can perform signature and behavior-based analysis and detection, but the bulk of what it does is behavior-based analysis and detection. Features include the ability to:

  • Detect brute-force attacks against network services like SSH and FTP
  • Perform HTTP traffic monitoring and analysis
  • Detect changes in installed software
  • Perform SSL/TLS certificate validation
  • Detect SQL injection attacks
  • Perform file integrity monitoring of all files
  • Send activity, summary and crash reports and alerts via email
  • Perform geolocation of IP addresses to city-level
  • Operate in standalone or distributed mode

You will need an Ubuntu 16.04 server with a firewall and non-root user account with sudo privileges configured and Postfix installed as a send-only mail transfer agent (MTA) on the server.

Open your terminal using:

Ctrl+Alt+T

and run the following commands:

Dependencies

sudo apt-get update
You will be prompted for a password. Please take caution as there is no visual feedback.

Install the necessary dependencies at once:
sudo apt-get install bison cmake flex g++ gdb make libmagic-dev libpcap-dev libgeoip-dev libssl-dev python-dev swig2.0 zlib1g-dev

Database

We will download both the IPv4 and IPv6 GeoIP database which Bro will depend on for IP address geolocation:

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Decompress both files:

gzip -d GeoLiteCity.dat.gz

gzip -d GeoLiteCityv6.dat.gz

Rename the files and move them to the appropriate directory:

sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Install Bro

Clone the repository from GitHub:
git clone --recursive git://git.bro.org/bro

cd bro

./configure

Build the program:
make

You'll see a percentage completion at the beginning of most lines of output as it runs.

sudo make install

sudo nano /etc/profile.d/3rd-party.sh

Copy and paste the following lines into it:

# Expand PATH to include the path to Bro's binaries

export PATH=$PATH:/usr/local/bro/bin

source /etc/profile.d/3rd-party.sh

Configurations

Configuring Which Nodes to Monitor

Open the file for editing:

sudo nano /usr/local/bro/etc/node.cfg

Under the bro section, look for the interface parameter. It's etho0 by default, and this should match the public interface of your Ubuntu 16.04 server. If it's not, make sure to update it:

[bro]
type=standalone
host=localhost
interface=eth0
Configuring the Node's Private Networks

sudo nano /usr/local/bro/etc/networks.cfg

By default, the file comes with the three private IP blocks already configured. Delete the existing three entries, then add your own:

203.0.113.0/24          Public IP space
198.51.100.0/24         Private IP space
Configuring Mail and Logging Settings

sudo nano /usr/local/bro/etc/broctl.cfg

Under the Mail Options section at the top of the file, look for the MailTo parameter and change it to a valid email address that you control. All Bro email alerts will be sent to that address.

BroControl

BroControl is used for managing Bro installations.
sudo /usr/local/bro/bin/broctl deploy

You should also run this command whenever changes are made to the configuration files or scripts.

Check Bro's status:
sudo /usr/local/bro/bin/broctl status