Friday, September 28, 2018

Installing Bro 2.6-beta2

In this post we are looking at installing Bro network and security monitoring framework. I happen to teach this tool in the SANS SEC503 - Intrusion Detection In Depth class and find this to be quite a wonderful tool. As a result, I thought I should put together a quick blog post on its installation and then I can probably build on this post in the future.

Let's get this show on the road.

First up I will be installing on Ubuntu 18.04 (bionic) 

root@n3-monitoring:~# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic

First I created a directory for "bro" under "/opt"


root@securitynik:~# mkdir /opt/bro

Then installed the necessary dependecies

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Then install geoip

apt-get install libgeoip-dev -y

Change to the GeoIP database

root@securitynik:~# cd /usr/share/GeoIP/

Download the GeoIP files

root@securitynik:~# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

Unzip the GeoLiteCity files

root@securitynik:~# gunzip GeoLiteCity.dat.gz

Renamed the GeoIP files

root@securitynik:/usr/share/GeoIP# mv GeoLiteCity.dat GeoIPCity.dat


Next up, in my case I switch to the /tmp directory by using "cd /tmp"

Next up, in my case I switch to the /tmp directory by using "cd /tmp", downloaded the file and then untar'd it.


cd /tmp
root@securitynik:/tmp# wget https://www.bro.org/downloads/beta/bro-2.6-beta2.tar.gz
root@securitynik:/tmp# tar -zxvf bro-2.6-beta2.tar.gz

Once the files have been extracted, we next change directory to the "bro-2.6-beta2" directory then run the "configure" scripts/


root@securitynik:/tmp# cd bro-2.6-beta2
root@securitynik:/tmp/bro-2.6-beta2# ./configure --prefix=/opt/bro

====================|  Bro Build Summary  |=====================

Build type:        RelWithDebInfo
Build dir:         /tmp/bro-2.6-beta2/build
Install prefix:    /opt/bro
Bro Script Path:   /opt/bro/share/bro
Debug mode:        false

CC:                /usr/bin/cc
CFLAGS:             -Wall -Wno-unused -O2 -g -DNDEBUG
CXX:               /usr/bin/c++
CXXFLAGS:           -Wall -Wno-unused -std=c++11 -O2 -g -DNDEBUG
CPP:               /usr/bin/c++

Broccoli:          false
Broctl:            true
Aux. Tools:        true

libmaxminddb:      false
Kerberos:          false
gperftools found:  false
        tcmalloc:  false
       debugging:  false
jemalloc:          false

================================================================


Once complete next is to run make followed by make install


root@securitynik:/tmp/bro-2.6-beta2# make
root@securitynik:/tmp/bro-2.6-beta2# make install

Let's now create a symbolic link for bro

root@securitynik:/opt/tmp# ln -s /opt/bro/bin/bro /usr/bin/bro

Let's now install bro-cut via bro-aux 


root@securitynik:/opt/tmp# apt-get install bro-aux

Then let's install broctl

root@securitynik:/opt/tmp# apt-get install broctl

Once the install is finished, let's run bro to see what we get:

root@securitynik:/opt/tmp# bro --iface enp0s25
listening on enp0s25

After bro was run for a few minutes and we run ls, we see:

root@securitynik:/opt/tmp# ls *.log
conn.log  packet_filter.log  reporter.log  syslog.log  weird.log

Looks good. Let's now move on to configuring bro.

References:
https://www.bro.org/sphinx/install/install.html
https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-bro-on-ubuntu-linux/
https://www.bro.org/sphinx/frameworks/geoip.html
https://bro-tracker.atlassian.net/browse/BIT-1775










Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)