Bro is an open-source highly-stateful network analysis framework. Although it’s mainly focused on network security monitoring, it provides a platform for general network traffic analysis as well. Bro is the monitoring backbone for many universities, research labs and supercomputing data-centers around the world. It is developed by Vern Paxson along with a team of researchers at the International Computer Science Institute in Berkeley and the National Center for Supercomputing Applications in Urbana-Champaign. Today we are going to show you how to install Bro on an Ubuntu 16.04 VPS.
1. Upgrade the system
As usual make sure that your Ubuntu 16.04 server is up-to-date by running the following commands:
# apt-get upgrade && apt-get update
2. Install the Maxmind GeoIP Database
Bro needs an IP address Geolocation database to function, download both IPv4 and IPv6 databases:
# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz # wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
Extract both archives:
# gzip -d GeoLiteCity.dat.gz # gzip -d GeoLiteCityv6.dat.gz
Create the ‘/usr/share/GeoIP’ directory and move the files in it:
# mkdir /usr/share/GeoIP # mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat # mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
3. Install Bro on Ubuntu 16.04
First we will start by installing the pre-requisite packages for Bro:
# apt-get install git cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
Now download the latest Bro version from the site which at the time of writing is version 2.5.3:
# wget https://www.bro.org/downloads/bro-2.5.3.tar.gz
Extract the archive:
# tar xzvf bro-2.5.3.tar.gz
Now enter the ‘bro-2.5.3’ directory and run configure:
# cd bro-2.5.3 # ./configure
After ‘configure’ has finished preparing the build, run the following command:
# make
Now ‘make’ should have built Bro from source, run the following command to install bro:
# make install
Bro should be installed in the ‘/usr/local/bro’ directory now.
4. Configure Bro
Let’s configure the mail notification settings first, to do that open the following file with your favorite editor(we’ll use nano):
# nano /usr/local/bro/etc/broctl.cfg
Find the ‘Mail Options’ section, and edit the ‘MailTo’ setting:
# Recipient address for emails sent out by Bro and BroControl MailTo = admin@rosehosting.com
Save and close the file.
Now we need to make sure that Bro is operating on the correct network interface, to do that open the following file with your favorite editor:
# nano /usr/local/bro/etc/node.cfg
Find the ‘[bro]’ section, it should look something like this:
[bro] type=standalone host=localhost interface=eth0
Make sure that the ‘interface’ setting is set to the public interface on your server.
The last step is to configure the networks Bro will monitor, to do that open the following file:
# nano /usr/local/bro/etc/networks.cfg
You should see the following contents:
# List of local networks in CIDR notation, optionally followed by a # descriptive tag. # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes. 10.0.0.0/8 Private IP space 172.16.0.0/12 Private IP space 192.168.0.0/16 Private IP space
Delete the three examples and add your own subnet entries like in the following example:
10.20.30.0/24 Private IP space 10.20.31.0/24 Private IP space
5. Managing Bro
Managing Bro is mostly done with the ‘broctl’ command, in order to access this command without providing the full path each time, we will add the following content to the bottom of the ‘~/.bashrc’ file:
# nano ~/.bashrc PATH=$PATH:/usr/local/bro/bin
Restart the session by logging out and logging in to the server again.
Now you can check the status of Bro by running the following command:
# broctl status Name Type Host Status Pid Started bro standalone localhost running 27534 12 Apr 13:42:19
You can also run the following command to list the various options ‘broctl’ offers:
# broctl help BroControl Version 1.7 capstats [] [] - Report interface statistics with capstats check [] - Check configuration before installing it cleanup [--all] [] - Delete working dirs (flush state) on nodes config - Print broctl configuration cron [--no-watch] - Perform jobs intended to run from cron cron enable|disable|? - Enable/disable "cron" jobs deploy - Check, install, and restart df [] - Print nodes' current disk usage diag [] - Output diagnostics for nodes exec - Execute shell command on all hosts exit - Exit shell install - Update broctl installation/configuration netstats [] - Print nodes' current packet counters nodes - Print node configuration peerstatus [] - Print status of nodes' remote connections print [] - Print values of script variable at nodes process [] [-- ] - Run Bro (with options and scripts) on trace quit - Exit shell restart [--clean] [] - Stop and then restart processing scripts [-c] [] - List the Bro scripts the nodes will load start [] - Start processing status [] - Summarize node status stop [] - Stop processing top [] - Show Bro processes ala top update [] - Update configuration of nodes on the fly Commands provided by plugins: ps.bro [] - Show Bro processes on nodes' systems
That’s it now you should have successfully installed and configured Bro on your Ubuntu 16.04 server.
Of course you don’t have to Install Bro on your Ubuntu 16.04 server, if you use one of our Linux server support services, in which case you can simply ask our expert Linux admins to setup this for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post, on How To Install Bro on Ubuntu 16.04, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.