How to Install Bro IDS on Ubuntu 16.04

Requirements

Launch Alibaba Cloud ECS Instance

apt-get update -y

Install Required Packages

apt-get install cmake make gcc g++ flex git bison python-dev swig libgeoip-dev libpcap-dev libssl-dev zlib1g-dev -ylibgeoip-dev -y
cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
tar -xvzf GeoLiteCity.dat.gz
tar -xvzf GeoLiteCityv6.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCity.dat

Install Bro IDS

wget http://www.bro.org/downloads/release/bro-2.4.1.tar.gz
tar -xvzf bro-2.4.1.tar.gz
mkdir /opt/bro
cd bro-2.4.1
./configure --prefix=/opt/bro
Broker:            
Broccoli: true
Broctl: true
Aux. Tools: true
GeoIP: true
gperftools found: false
tcmalloc: false
debugging: false
jemalloc: false
================================================================-- Configuring done
-- Generating done
-- Build files have been written to: /root/bro-2.4.1/build
make 
make install
-- Set runtime path of "/opt/bro/lib/broctl/_SubnetTree.so" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/capstats
-- Set runtime path of "/opt/bro/bin/capstats" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/trace-summary
-- Installing: /opt/bro/share/man/man1/trace-summary.1
-- Installing: /opt/bro/bin/bro-cut
-- Installing: /opt/bro/share/man/man1/bro-cut.1
-- Installing: /opt/bro/etc/broccoli.conf
-- Installing: /opt/bro/bin/broccoli-config
-- Installing: /opt/bro/lib/libbroccoli.so.5.1.0
-- Installing: /opt/bro/lib/libbroccoli.so.5
-- Installing: /opt/bro/lib/libbroccoli.so
-- Set runtime path of "/opt/bro/lib/libbroccoli.so.5.1.0" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/libbroccoli.a
-- Installing: /opt/bro/include/broccoli.h
-- Installing: /opt/bro/lib/broctl/broccoli.py
-- Installing: /opt/bro/lib/broctl/_broccoli_intern.so
-- Set runtime path of "/opt/bro/lib/broctl/_broccoli_intern.so" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/broctl/broccoli_intern.py
make[1]: Leaving directory '/root/bro-2.4.1/build'
export PATH=/opt/bro/bin:$PATH
nano ~/.profile
PATH=/opt/bro/bin:$PATH

Configure Bro IDS

nano /opt/bro/etc/node.cfg
[bro] 
type=standalone
host=localhost
interface=eth0
nano /opt/bro/etc/networks.cfg
192.168.1.0/24 Private IP space 
192.168.0.0/16 Private IP space
nano /opt/bro/etc/broctl.cfg
# Mail Options# Recipient address for all emails sent out by Bro and BroControl.
MailTo = admin@example.com
broctl deploy
checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping bro ...
starting ...
starting bro ...
broctl status
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 22983 0 27 Oct 23:16:55
broctl start
broctl restart
broctl stop

Configure Cron for Bro

nano /etc/cron.d/bro
*/5 * * * * root /opt/bro/bin/broctl cron
systemctl restart cron
nano /etc/rc.local
/opt/bro/bin/broctl start

Test Bro IDS

nmap -PN -sS 192.168.0.105
tail -f /opt/bro/logs/current/notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-10-27-23-25-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1540662955.235634 - - - - - - - - - Scan::Port_Scan 192.168.0.104 scanned at least 15 unique ports of host 192.168.0.105 in 0m1s local 192.168.0.104 192.168.0.105 - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1540662964.587979 - - - - - - - - - PacketFilter::Dropped_Packets 1162 packets dropped after filtering, 2621 received, 2621 on link - - - - - bro Notice::ACTION_LOG 3600.000000 F- - - - -
tail -f /opt/bro/logs/current/conn.log
1540662964.810179    CjKrCF2qvnQdIf4Qf7    192.168.0.104    48691    192.168.0.105    5678    tcp    -    0.000011    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.810226 CeH5hL24qgTK2Dmx61 192.168.0.104 48691 192.168.0.105 1043 tcp - 0.000010 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.909912 C1KWIM3Y8LUW0T9cVe 192.168.0.104 48692 192.168.0.105 5678 tcp - 0.000039 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.910039 CdvPG22cukVMONXJ5l 192.168.0.104 48692 192.168.0.105 1688 tcp - 0.000011 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.910087 C8nAx11w44P6iJKBdg 192.168.0.104 48692 192.168.0.105 1132 tcp - 0.000009 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.912367 CNahQj2KriyVP4BuCj 192.168.0.104 48692 192.168.0.105 1043 tcp - 0.000022 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662965.009130 CACQ4I25WEXc0xKY5 192.168.0.104 48691 192.168.0.105 1080 tcp - 0.000042 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662965.109684 Cee9pu2i9MGH5Mqsy2 192.168.0.104 48692 192.168.0.105 1080 tcp - 0.000036 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662913.955455 CEow3k3Zlv5eH1jy34 fe80::8bd:39bd:bab7:b74e 5353 ff02::fb 5353 udp dns 67.271796 1842 0 S0 F F 0 D 24 2994 0 0 (empty)
1540662913.954228 CSu95nzCQCsI6G6ea 192.168.0.103 5353 224.0.0.251 5353 udp dns 67.271164 1842 0 S0 T F 0 D 24 2514 0 0 (empty)
1540662958.663997 C3CWidZr5IPULfkw6 192.168.0.105 35502 91.189.89.199 123 udp - 0.133998 0 48 SHR T F 0 Cd 0 0 1 76 (empty)
1540662963.865028 CLK8oq2E1ShPsWliB2 192.168.0.104 60098 239.255.255.250 1900 udp - 2.991177 688 0 S0 T F 0 D 4 800 0 0 (empty)
1540662998.430665 CN58U54o3BVDhMaXId 192.168.0.103 5353 224.0.0.251 5353 udp dns 13.527360 456 0 S0 T F 0 D 6 624 0 0 (empty)
1540662998.432383 CCgHbI1g5k7Ognhf9h fe80::8bd:39bd:bab7:b74e 5353 ff02::fb 5353 udp dns 13.527121 456 0 S0 F F 0 D 6 744 0 0 (empty)
broctl help
BroControl Version 1.4  capstats [<nodes>] [<secs>]      - Report interface statistics with capstats
check [<nodes>] - Check configuration before installing it
cleanup [--all] [<nodes>] - Delete working dirs (flush state) on nodes
config - Print broctl configuration
cron [--no-watch] - Perform jobs intended to run from cron
cron enable|disable|? - Enable/disable "cron" jobs
deploy - Check, install, and restart
df [<nodes>] - Print nodes' current disk usage
diag [<nodes>] - Output diagnostics for nodes
exec <shell cmd> - Execute shell command on all hosts
exit - Exit shell
install - Update broctl installation/configuration
netstats [<nodes>] - Print nodes' current packet counters
nodes - Print node configuration
peerstatus [<nodes>] - Print status of nodes' remote connections
print <id> [<nodes>] - Print values of script variable at nodes
process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
quit - Exit shell
restart [--clean] [<nodes>] - Stop and then restart processing
scripts [-c] [<nodes>] - List the Bro scripts the nodes will load
start [<nodes>] - Start processing
status [<nodes>] - Summarize node status
stop [<nodes>] - Stop processing
top [<nodes>] - Show Bro processes ala top
update [<nodes>] - Update configuration of nodes on the fly

Commands provided by plugins:
ps.bro [<nodes>] - Show Bro processes on nodes' systems

Original Source

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store