How to Install Bro IDS on Ubuntu 16.04

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Bro is a free, open source and powerful network analysis framework that can be used for network security monitoring. Bro IDS has an ability to monitor traffic in a very high-performance environment and it is much different from the typical IDS. You can easily detect brute-force attacks against different network services and SQL injection attacks using Bro. It is specifically well-suited for scientific environments. Bro is typically deployed at a site’s upstream link and monitors all external packets coming in or going out. Bro comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer. Bro is most widely used by major universities, supercomputing centers and research labs.

In this tutorial, we will be installing and configuring Bro IDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance.
  • A root password is set up to your instance.
  • A static IP address 192.168.0.105 is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Required Packages

Before starting, you will need to install some dependencies required by Bro IDS. You can install all of them by just running the following command:

apt-get install cmake make gcc g++ flex git bison python-dev swig libgeoip-dev libpcap-dev libssl-dev zlib1g-dev -ylibgeoip-dev -y

Next, you will need to download a GeoIP database for IP address geolocation. You can download it with the following command:

cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Next, extract the downloaded database with the following command:

tar -xvzf GeoLiteCity.dat.gz
tar -xvzf GeoLiteCityv6.dat.gz

Next, rename both extracted files as shown below:

mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCity.dat

Install Bro IDS

Next, you will need to download the latest version of Bro from their official website. You can download it with the following command:

wget http://www.bro.org/downloads/release/bro-2.4.1.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf bro-2.4.1.tar.gz

Next, create a directory for Bro installation:

mkdir /opt/bro

Next, change the directory to the bro-2.4.1 and configure it with the following command:

cd bro-2.4.1
./configure --prefix=/opt/bro

Output:

Broker:            
Broccoli: true
Broctl: true
Aux. Tools: true
GeoIP: true
gperftools found: false
tcmalloc: false
debugging: false
jemalloc: false
================================================================-- Configuring done
-- Generating done
-- Build files have been written to: /root/bro-2.4.1/build

Next, install Bro with the following command:

make 
make install

Once the installation is completed, you should see the following Output:

-- Set runtime path of "/opt/bro/lib/broctl/_SubnetTree.so" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/capstats
-- Set runtime path of "/opt/bro/bin/capstats" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/trace-summary
-- Installing: /opt/bro/share/man/man1/trace-summary.1
-- Installing: /opt/bro/bin/bro-cut
-- Installing: /opt/bro/share/man/man1/bro-cut.1
-- Installing: /opt/bro/etc/broccoli.conf
-- Installing: /opt/bro/bin/broccoli-config
-- Installing: /opt/bro/lib/libbroccoli.so.5.1.0
-- Installing: /opt/bro/lib/libbroccoli.so.5
-- Installing: /opt/bro/lib/libbroccoli.so
-- Set runtime path of "/opt/bro/lib/libbroccoli.so.5.1.0" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/libbroccoli.a
-- Installing: /opt/bro/include/broccoli.h
-- Installing: /opt/bro/lib/broctl/broccoli.py
-- Installing: /opt/bro/lib/broctl/_broccoli_intern.so
-- Set runtime path of "/opt/bro/lib/broctl/_broccoli_intern.so" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/broctl/broccoli_intern.py
make[1]: Leaving directory '/root/bro-2.4.1/build'

Next, you will need to export PATH environment for Bro. You can do this using the following command:

export PATH=/opt/bro/bin:$PATH

Next, you will need to add the PATH environment in ~/.profile file to make the change permanent.

nano ~/.profile

Add the following line:

PATH=/opt/bro/bin:$PATH

Save and close the file, when you are finished.

Configure Bro IDS

First, you will need to specify the network interface which you want to monitor. You can do this by editing /opt/bro/etc/node.cfg file:

nano /opt/bro/etc/node.cfg

Make the following lines as per your network interface:

[bro] 
type=standalone
host=localhost
interface=eth0

Save and close the file. Then, specify your network IP range that you want to monitor.

nano /opt/bro/etc/networks.cfg

Add the following lines:

192.168.1.0/24 Private IP space 
192.168.0.0/16 Private IP space

Save and close the file. Then, you will need to configure broctl.cfg file for mail and logging settings:

nano /opt/bro/etc/broctl.cfg

Make the following changes:

# Mail Options# Recipient address for all emails sent out by Bro and BroControl.
MailTo = admin@example.com

Save and close the file. Then, start service with the following command:

broctl deploy

Output:

checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping bro ...
starting ...
starting bro ...

Next, you can check the status of Bro service with the following command:

broctl status

Output:

Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 22983 0 27 Oct 23:16:55

You can also start, restart and stop Bro service with the following command:

broctl start
broctl restart
broctl stop

Configure Cron for Bro

Next, you will need to setup Cron service for Bro. So it can restart Bro if it crashes. You can do this by editing /etc/cron.d/bro file:

nano /etc/cron.d/bro

Make the following changes:

*/5 * * * * root /opt/bro/bin/broctl cron

Save and close the file. Then, restart Cron service with the following command:

systemctl restart cron

Next, you will also need to add Bro service in /etc/rc.local file. So it can start on system startup:

nano /etc/rc.local

Add the following line:

/opt/bro/bin/broctl start

Save and close the file, when you are finished.

Test Bro IDS

Bro IDS is now installed and running. It’s time to test Bro IDS.

On the remote system, run the Nmap port scan against your server:

nmap -PN -sS 192.168.0.105

Next, go to the server machine and check the notice.log and conn.log file with the following command:

tail -f /opt/bro/logs/current/notice.log

You should see the following output:

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-10-27-23-25-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1540662955.235634 - - - - - - - - - Scan::Port_Scan 192.168.0.104 scanned at least 15 unique ports of host 192.168.0.105 in 0m1s local 192.168.0.104 192.168.0.105 - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1540662964.587979 - - - - - - - - - PacketFilter::Dropped_Packets 1162 packets dropped after filtering, 2621 received, 2621 on link - - - - - bro Notice::ACTION_LOG 3600.000000 F- - - - -

Next, check conn.log file:

tail -f /opt/bro/logs/current/conn.log

You should see the following output:

1540662964.810179    CjKrCF2qvnQdIf4Qf7    192.168.0.104    48691    192.168.0.105    5678    tcp    -    0.000011    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.810226 CeH5hL24qgTK2Dmx61 192.168.0.104 48691 192.168.0.105 1043 tcp - 0.000010 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.909912 C1KWIM3Y8LUW0T9cVe 192.168.0.104 48692 192.168.0.105 5678 tcp - 0.000039 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.910039 CdvPG22cukVMONXJ5l 192.168.0.104 48692 192.168.0.105 1688 tcp - 0.000011 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.910087 C8nAx11w44P6iJKBdg 192.168.0.104 48692 192.168.0.105 1132 tcp - 0.000009 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.912367 CNahQj2KriyVP4BuCj 192.168.0.104 48692 192.168.0.105 1043 tcp - 0.000022 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662965.009130 CACQ4I25WEXc0xKY5 192.168.0.104 48691 192.168.0.105 1080 tcp - 0.000042 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662965.109684 Cee9pu2i9MGH5Mqsy2 192.168.0.104 48692 192.168.0.105 1080 tcp - 0.000036 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662913.955455 CEow3k3Zlv5eH1jy34 fe80::8bd:39bd:bab7:b74e 5353 ff02::fb 5353 udp dns 67.271796 1842 0 S0 F F 0 D 24 2994 0 0 (empty)
1540662913.954228 CSu95nzCQCsI6G6ea 192.168.0.103 5353 224.0.0.251 5353 udp dns 67.271164 1842 0 S0 T F 0 D 24 2514 0 0 (empty)
1540662958.663997 C3CWidZr5IPULfkw6 192.168.0.105 35502 91.189.89.199 123 udp - 0.133998 0 48 SHR T F 0 Cd 0 0 1 76 (empty)
1540662963.865028 CLK8oq2E1ShPsWliB2 192.168.0.104 60098 239.255.255.250 1900 udp - 2.991177 688 0 S0 T F 0 D 4 800 0 0 (empty)
1540662998.430665 CN58U54o3BVDhMaXId 192.168.0.103 5353 224.0.0.251 5353 udp dns 13.527360 456 0 S0 T F 0 D 6 624 0 0 (empty)
1540662998.432383 CCgHbI1g5k7Ognhf9h fe80::8bd:39bd:bab7:b74e 5353 ff02::fb 5353 udp dns 13.527121 456 0 S0 F F 0 D 6 744 0 0 (empty)

You can also use broctl help command to list all the option available with broctl:

broctl help

Output:

BroControl Version 1.4  capstats [<nodes>] [<secs>]      - Report interface statistics with capstats
check [<nodes>] - Check configuration before installing it
cleanup [--all] [<nodes>] - Delete working dirs (flush state) on nodes
config - Print broctl configuration
cron [--no-watch] - Perform jobs intended to run from cron
cron enable|disable|? - Enable/disable "cron" jobs
deploy - Check, install, and restart
df [<nodes>] - Print nodes' current disk usage
diag [<nodes>] - Output diagnostics for nodes
exec <shell cmd> - Execute shell command on all hosts
exit - Exit shell
install - Update broctl installation/configuration
netstats [<nodes>] - Print nodes' current packet counters
nodes - Print node configuration
peerstatus [<nodes>] - Print status of nodes' remote connections
print <id> [<nodes>] - Print values of script variable at nodes
process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
quit - Exit shell
restart [--clean] [<nodes>] - Stop and then restart processing
scripts [-c] [<nodes>] - List the Bro scripts the nodes will load
start [<nodes>] - Start processing
status [<nodes>] - Summarize node status
stop [<nodes>] - Stop processing
top [<nodes>] - Show Bro processes ala top
update [<nodes>] - Update configuration of nodes on the fly

Commands provided by plugins:
ps.bro [<nodes>] - Show Bro processes on nodes' systems

Original Source

https://www.alibabacloud.com/blog/how-to-install-bro-ids-on-ubuntu-16-04_594935?spm=a2c41.13062322.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store