In this post we are looking at installing Bro network and security monitoring framework. I happen to teach this tool in the SANS SEC503 - Intrusion Detection In Depth class and find this to be quite a wonderful tool. As a result, I thought I should put together a quick blog post on its installation and then I can probably build on this post in the future.
Let's get this show on the road.
First up I will be installing on Ubuntu 18.04 (bionic)
root@n3-monitoring:~# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic
First I created a directory for "bro" under "/opt"
root@securitynik:~# mkdir /opt/bro
Then installed the necessary dependecies
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
Then install geoip
apt-get install libgeoip-dev -y
Change to the GeoIP database
root@securitynik:~# cd /usr/share/GeoIP/
Download the GeoIP files
root@securitynik:~# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
Unzip the GeoLiteCity files
root@securitynik:~# gunzip GeoLiteCity.dat.gz
Renamed the GeoIP files
root@securitynik:/usr/share/GeoIP# mv GeoLiteCity.dat GeoIPCity.dat
Next up, in my case I switch to the /tmp directory by using "cd /tmp"
Next up, in my case I switch to the /tmp directory by using "cd /tmp", downloaded the file and then untar'd it.
cd /tmp
root@securitynik:/tmp# wget https://www.bro.org/downloads/beta/bro-2.6-beta2.tar.gz
root@securitynik:/tmp# tar -zxvf bro-2.6-beta2.tar.gz
Once the files have been extracted, we next change directory to the "bro-2.6-beta2" directory then run the "configure" scripts/
root@securitynik:/tmp# cd bro-2.6-beta2
root@securitynik:/tmp/bro-2.6-beta2# ./configure --prefix=/opt/bro
====================| Bro Build Summary |=====================
Build type: RelWithDebInfo
Build dir: /tmp/bro-2.6-beta2/build
Install prefix: /opt/bro
Bro Script Path: /opt/bro/share/bro
Debug mode: false
CC: /usr/bin/cc
CFLAGS: -Wall -Wno-unused -O2 -g -DNDEBUG
CXX: /usr/bin/c++
CXXFLAGS: -Wall -Wno-unused -std=c++11 -O2 -g -DNDEBUG
CPP: /usr/bin/c++
Broccoli: false
Broctl: true
Aux. Tools: true
libmaxminddb: false
Kerberos: false
gperftools found: false
tcmalloc: false
debugging: false
jemalloc: false
================================================================
Once complete next is to run make followed by make install
root@securitynik:/tmp/bro-2.6-beta2# make
root@securitynik:/tmp/bro-2.6-beta2# make install
Let's now create a symbolic link for bro
root@securitynik:/opt/tmp# ln -s /opt/bro/bin/bro /usr/bin/bro
Let's now install bro-cut via bro-aux
root@securitynik:/opt/tmp# apt-get install bro-aux
Then let's install broctl
root@securitynik:/opt/tmp# apt-get install broctl
Once the install is finished, let's run bro to see what we get:
root@securitynik:/opt/tmp# bro --iface enp0s25
listening on enp0s25
After bro was run for a few minutes and we run ls, we see:
root@securitynik:/opt/tmp# ls *.log
conn.log packet_filter.log reporter.log syslog.log weird.log
Looks good. Let's now move on to configuring bro.
References:
https://www.bro.org/sphinx/install/install.html
https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-bro-on-ubuntu-linux/
https://www.bro.org/sphinx/frameworks/geoip.html
https://bro-tracker.atlassian.net/browse/BIT-1775