The Bro Network Security Monitor is an open source network monitoring framework. In a nutshell, Bro monitors packet flows over a network with a network tap installed with optional bonded network interfaces, and creates high-level “flow” events from them and stores the events as single tab-separated lines in a log file. You can then parse these log files to data mine for information about the network traffic on the network you are monitoring. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts such as all HTTP sessions with their requested URIs, key headers, MIME types, server responses, DNS requests with replies, SSL certificates, key content of SMTP sessions, and much more.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation Bro Network Security Monitor in Ubuntu 16.04 LTS Xenial Xerus.
Install Bro Network Security Monitor on Ubuntu 16.04 LTS
Step 1. First make sure that all your system packages are up-to-date by running these following apt-get commands in the terminal.
sudo apt-get update
sudo apt-get upgrade
Step 2. Install Required Dependencies.
Install all the required dependencies, by executing the following command:
apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev
Step 3. Installing GeoIP Database for IP Geolocation.
You will also need to install GeoIP to your system. You can install it with the following command:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gzip -d GeoLiteCity.dat.gz
gzip -d GeoLiteCityv6.dat.gz
Now move the GeoIP files over to the default location /usr/share/GeoIP/, we need to rename them to match the location that Bro is expecting:
mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Step 4. Installing Bro Network Security Monitor.
First, download the latest version of the Bro source from their website. You can do this with the following command:
wget https://www.bro.org/downloads/bro-2.5.1.tar.gz
tar zxvf bro-2.5.1.tar.gz
cd bro-2.5.1
./configure
make
make install
Once the Bro is installed, adjust your PATH environment with the following command:
export PATH=/usr/local/bro/bin:$PATH
Step 5. Configure Bro Network Security Monitor.
Bro is a powerful tool, to get started quickly we will follow the guide on the project page.
Edit the following files before starting:
$PREFIX/etc/node.cfg -- configure network interface to monitor
$PREFIX/etc/networks.cfg -- configure local networks
$PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation
To start the program simply enter broctl at a shell.
You are now in the broctl shell, from where you can give bro commands.
[BroControl] >
The first command to run, since this is a new installation is to run install. We will then run start:
[BroControl] > install
warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name Type Host Status Pid Peers Started
bro standalone localhost running 23465 0 21 Jul 10:11:55
You now have Bro Network Security Monitor running on your system.
Congratulation’s! You have successfully installed Bro. Thanks for using this tutorial for installing Bro Network Security Monitor on your Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you to check the official Bro Network Security Monitor web site.