How to Install Bro IDS on Ubuntu 16.04

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Bro is a free, open source and powerful network analysis framework that can be used for network security monitoring. Bro IDS has an ability to monitor traffic in a very high-performance environment and it is much different from the typical IDS. You can easily detect brute-force attacks against different network services and SQL injection attacks using Bro. It is specifically well-suited for scientific environments. Bro is typically deployed at a site’s upstream link and monitors all external packets coming in or going out. Bro comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer. Bro is most widely used by major universities, supercomputing centers and research labs.

In this tutorial, we will be installing and configuring Bro IDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance.
  • A root password is set up to your instance.
  • A static IP address 192.168.0.105 is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Install Required Packages

Before starting, you will need to install some dependencies required by Bro IDS. You can install all of them by just running the following command:

Next, you will need to download a GeoIP database for IP address geolocation. You can download it with the following command:

Next, extract the downloaded database with the following command:

Next, rename both extracted files as shown below:

Install Bro IDS

Next, you will need to download the latest version of Bro from their official website. You can download it with the following command:

Once the download is completed, extract the downloaded file with the following command:

Next, create a directory for Bro installation:

Next, change the directory to the bro-2.4.1 and configure it with the following command:

Output:

Next, install Bro with the following command:

Once the installation is completed, you should see the following Output:

Next, you will need to export PATH environment for Bro. You can do this using the following command:

Next, you will need to add the PATH environment in ~/.profile file to make the change permanent.

Add the following line:

Save and close the file, when you are finished.

Configure Bro IDS

First, you will need to specify the network interface which you want to monitor. You can do this by editing /opt/bro/etc/node.cfg file:

Make the following lines as per your network interface:

Save and close the file. Then, specify your network IP range that you want to monitor.

Add the following lines:

Save and close the file. Then, you will need to configure broctl.cfg file for mail and logging settings:

Make the following changes:

Save and close the file. Then, start service with the following command:

Output:

Next, you can check the status of Bro service with the following command:

Output:

You can also start, restart and stop Bro service with the following command:

Configure Cron for Bro

Next, you will need to setup Cron service for Bro. So it can restart Bro if it crashes. You can do this by editing /etc/cron.d/bro file:

Make the following changes:

Save and close the file. Then, restart Cron service with the following command:

Next, you will also need to add Bro service in /etc/rc.local file. So it can start on system startup:

Add the following line:

Save and close the file, when you are finished.

Test Bro IDS

Bro IDS is now installed and running. It’s time to test Bro IDS.

On the remote system, run the Nmap port scan against your server:

Next, go to the server machine and check the notice.log and conn.log file with the following command:

You should see the following output:

Next, check conn.log file:

You should see the following output:

You can also use broctl help command to list all the option available with broctl:

Output:

Original Source

https://www.alibabacloud.com/blog/how-to-install-bro-ids-on-ubuntu-16-04_594935?spm=a2c41.13062322.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store