Bro is an open-source network analysis framework and security monitoring application. It can perform signature and behavior-based analysis and detection, but the bulk of what it does is behavior-based analysis and detection. Features include the ability to:
- Detect brute-force attacks against network services like SSH and FTP
- Perform HTTP traffic monitoring and analysis
- Detect changes in installed software
- Perform SSL/TLS certificate validation
- Detect SQL injection attacks
- Perform file integrity monitoring of all files
- Send activity, summary and crash reports and alerts via email
- Perform geolocation of IP addresses to city-level
- Operate in standalone or distributed mode
You will need an Ubuntu 16.04 server with a firewall and non-root user account with sudo privileges configured and Postfix installed as a send-only mail transfer agent (MTA) on the server.
Open your terminal using:
Ctrl+Alt+T
and run the following commands:
Dependencies
sudo apt-get update
You will be prompted for a password. Please take caution as there is no visual feedback.
Install the necessary dependencies at once:
sudo apt-get install bison cmake flex g++ gdb make libmagic-dev libpcap-dev libgeoip-dev libssl-dev python-dev swig2.0 zlib1g-dev
Database
We will download both the IPv4 and IPv6 GeoIP database which Bro will depend on for IP address geolocation:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
Decompress both files:
gzip -d GeoLiteCity.dat.gz
gzip -d GeoLiteCityv6.dat.gz
Rename the files and move them to the appropriate directory:
sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Install Bro
Clone the repository from GitHub:
git clone --recursive git://git.bro.org/bro
cd bro
./configure
Build the program:
make
You'll see a percentage completion at the beginning of most lines of output as it runs.
sudo make install
sudo nano /etc/profile.d/3rd-party.sh
Copy and paste the following lines into it:
# Expand PATH to include the path to Bro's binaries
export PATH=$PATH:/usr/local/bro/bin
source /etc/profile.d/3rd-party.sh
Configurations
Configuring Which Nodes to Monitor
Open the file for editing:
sudo nano /usr/local/bro/etc/node.cfg
Under the bro section, look for the interface parameter. It's etho0 by default, and this should match the public interface of your Ubuntu 16.04 server. If it's not, make sure to update it:
[bro]
type=standalone
host=localhost
interface=eth0
Configuring the Node's Private Networks
sudo nano /usr/local/bro/etc/networks.cfg
By default, the file comes with the three private IP blocks already configured. Delete the existing three entries, then add your own:
203.0.113.0/24 Public IP space
198.51.100.0/24 Private IP space
Configuring Mail and Logging Settings
sudo nano /usr/local/bro/etc/broctl.cfg
Under the Mail Options section at the top of the file, look for the MailTo parameter and change it to a valid email address that you control. All Bro email alerts will be sent to that address.
BroControl
BroControl is used for managing Bro installations.
sudo /usr/local/bro/bin/broctl deploy
You should also run this command whenever changes are made to the configuration files or scripts.
Check Bro's status:
sudo /usr/local/bro/bin/broctl status