By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Bro is a free, open source and powerful network analysis framework that can be used for network security monitoring. Bro IDS has an ability to monitor traffic in a very high-performance environment and it is much different from the typical IDS. You can easily detect brute-force attacks against different network services and SQL injection attacks using Bro. It is specifically well-suited for scientific environments. Bro is typically deployed at a site's upstream link and monitors all external packets coming in or going out. Bro comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer. Bro is most widely used by major universities, supercomputing centers and research labs.
In this tutorial, we will be installing and configuring Bro IDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.
First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.
Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.
apt-get update -y
Before starting, you will need to install some dependencies required by Bro IDS. You can install all of them by just running the following command:
apt-get install cmake make gcc g++ flex git bison python-dev swig libgeoip-dev libpcap-dev libssl-dev zlib1g-dev -ylibgeoip-dev -y
Next, you will need to download a GeoIP database for IP address geolocation. You can download it with the following command:
cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
Next, extract the downloaded database with the following command:
tar -xvzf GeoLiteCity.dat.gz
tar -xvzf GeoLiteCityv6.dat.gz
Next, rename both extracted files as shown below:
mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCity.dat
Next, you will need to download the latest version of Bro from their official website. You can download it with the following command:
wget http://www.bro.org/downloads/release/bro-2.4.1.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf bro-2.4.1.tar.gz
Next, create a directory for Bro installation:
mkdir /opt/bro
Next, change the directory to the bro-2.4.1 and configure it with the following command:
cd bro-2.4.1
./configure --prefix=/opt/bro
Output:
Broker:
Broccoli: true
Broctl: true
Aux. Tools: true
GeoIP: true
gperftools found: false
tcmalloc: false
debugging: false
jemalloc: false
================================================================
-- Configuring done
-- Generating done
-- Build files have been written to: /root/bro-2.4.1/build
Next, install Bro with the following command:
make
make install
Once the installation is completed, you should see the following Output:
-- Set runtime path of "/opt/bro/lib/broctl/_SubnetTree.so" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/capstats
-- Set runtime path of "/opt/bro/bin/capstats" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/trace-summary
-- Installing: /opt/bro/share/man/man1/trace-summary.1
-- Installing: /opt/bro/bin/bro-cut
-- Installing: /opt/bro/share/man/man1/bro-cut.1
-- Installing: /opt/bro/etc/broccoli.conf
-- Installing: /opt/bro/bin/broccoli-config
-- Installing: /opt/bro/lib/libbroccoli.so.5.1.0
-- Installing: /opt/bro/lib/libbroccoli.so.5
-- Installing: /opt/bro/lib/libbroccoli.so
-- Set runtime path of "/opt/bro/lib/libbroccoli.so.5.1.0" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/libbroccoli.a
-- Installing: /opt/bro/include/broccoli.h
-- Installing: /opt/bro/lib/broctl/broccoli.py
-- Installing: /opt/bro/lib/broctl/_broccoli_intern.so
-- Set runtime path of "/opt/bro/lib/broctl/_broccoli_intern.so" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/broctl/broccoli_intern.py
make[1]: Leaving directory '/root/bro-2.4.1/build'
Next, you will need to export PATH environment for Bro. You can do this using the following command:
export PATH=/opt/bro/bin:$PATH
Next, you will need to add the PATH environment in ~/.profile file to make the change permanent.
nano ~/.profile
Add the following line:
PATH=/opt/bro/bin:$PATH
Save and close the file, when you are finished.
First, you will need to specify the network interface which you want to monitor. You can do this by editing /opt/bro/etc/node.cfg file:
nano /opt/bro/etc/node.cfg
Make the following lines as per your network interface:
[bro]
type=standalone
host=localhost
interface=eth0
Save and close the file. Then, specify your network IP range that you want to monitor.
nano /opt/bro/etc/networks.cfg
Add the following lines:
192.168.1.0/24 Private IP space
192.168.0.0/16 Private IP space
Save and close the file. Then, you will need to configure broctl.cfg file for mail and logging settings:
nano /opt/bro/etc/broctl.cfg
Make the following changes:
# Mail Options
# Recipient address for all emails sent out by Bro and BroControl.
MailTo = admin@example.com
Save and close the file. Then, start service with the following command:
broctl deploy
Output:
checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping bro ...
starting ...
starting bro ...
Next, you can check the status of Bro service with the following command:
broctl status
Output:
Getting process status ...
Getting peer status ...
Name Type Host Status Pid Peers Started
bro standalone localhost running 22983 0 27 Oct 23:16:55
You can also start, restart and stop Bro service with the following command:
broctl start
broctl restart
broctl stop
Next, you will need to setup Cron service for Bro. So it can restart Bro if it crashes. You can do this by editing /etc/cron.d/bro file:
nano /etc/cron.d/bro
Make the following changes:
*/5 * * * * root /opt/bro/bin/broctl cron
Save and close the file. Then, restart Cron service with the following command:
systemctl restart cron
Next, you will also need to add Bro service in /etc/rc.local file. So it can start on system startup:
nano /etc/rc.local
Add the following line:
/opt/bro/bin/broctl start
Save and close the file, when you are finished.
Bro IDS is now installed and running. It's time to test Bro IDS.
On the remote system, run the Nmap port scan against your server:
nmap -PN -sS 192.168.0.105
Next, go to the server machine and check the notice.log and conn.log file with the following command:
tail -f /opt/bro/logs/current/notice.log
You should see the following output:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2018-10-27-23-25-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1540662955.235634 - - - - - - - - - Scan::Port_Scan 192.168.0.104 scanned at least 15 unique ports of host 192.168.0.105 in 0m1s local 192.168.0.104 192.168.0.105 - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1540662964.587979 - - - - - - - - - PacketFilter::Dropped_Packets 1162 packets dropped after filtering, 2621 received, 2621 on link - - - - - bro Notice::ACTION_LOG 3600.000000 F- - - - -
Next, check conn.log file:
tail -f /opt/bro/logs/current/conn.log
You should see the following output:
1540662964.810179 CjKrCF2qvnQdIf4Qf7 192.168.0.104 48691 192.168.0.105 5678 tcp - 0.000011 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.810226 CeH5hL24qgTK2Dmx61 192.168.0.104 48691 192.168.0.105 1043 tcp - 0.000010 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.909912 C1KWIM3Y8LUW0T9cVe 192.168.0.104 48692 192.168.0.105 5678 tcp - 0.000039 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.910039 CdvPG22cukVMONXJ5l 192.168.0.104 48692 192.168.0.105 1688 tcp - 0.000011 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.910087 C8nAx11w44P6iJKBdg 192.168.0.104 48692 192.168.0.105 1132 tcp - 0.000009 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662964.912367 CNahQj2KriyVP4BuCj 192.168.0.104 48692 192.168.0.105 1043 tcp - 0.000022 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662965.009130 CACQ4I25WEXc0xKY5 192.168.0.104 48691 192.168.0.105 1080 tcp - 0.000042 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662965.109684 Cee9pu2i9MGH5Mqsy2 192.168.0.104 48692 192.168.0.105 1080 tcp - 0.000036 0 0 REJ T T 0 Sr 1 44 1 40 (empty)
1540662913.955455 CEow3k3Zlv5eH1jy34 fe80::8bd:39bd:bab7:b74e 5353 ff02::fb 5353 udp dns 67.271796 1842 0 S0 F F 0 D 24 2994 0 0 (empty)
1540662913.954228 CSu95nzCQCsI6G6ea 192.168.0.103 5353 224.0.0.251 5353 udp dns 67.271164 1842 0 S0 T F 0 D 24 2514 0 0 (empty)
1540662958.663997 C3CWidZr5IPULfkw6 192.168.0.105 35502 91.189.89.199 123 udp - 0.133998 0 48 SHR T F 0 Cd 0 0 1 76 (empty)
1540662963.865028 CLK8oq2E1ShPsWliB2 192.168.0.104 60098 239.255.255.250 1900 udp - 2.991177 688 0 S0 T F 0 D 4 800 0 0 (empty)
1540662998.430665 CN58U54o3BVDhMaXId 192.168.0.103 5353 224.0.0.251 5353 udp dns 13.527360 456 0 S0 T F 0 D 6 624 0 0 (empty)
1540662998.432383 CCgHbI1g5k7Ognhf9h fe80::8bd:39bd:bab7:b74e 5353 ff02::fb 5353 udp dns 13.527121 456 0 S0 F F 0 D 6 744 0 0 (empty)
You can also use broctl help command to list all the option available with broctl:
broctl help
Output:
BroControl Version 1.4
capstats [<nodes>] [<secs>] - Report interface statistics with capstats
check [<nodes>] - Check configuration before installing it
cleanup [--all] [<nodes>] - Delete working dirs (flush state) on nodes
config - Print broctl configuration
cron [--no-watch] - Perform jobs intended to run from cron
cron enable|disable|? - Enable/disable "cron" jobs
deploy - Check, install, and restart
df [<nodes>] - Print nodes' current disk usage
diag [<nodes>] - Output diagnostics for nodes
exec <shell cmd> - Execute shell command on all hosts
exit - Exit shell
install - Update broctl installation/configuration
netstats [<nodes>] - Print nodes' current packet counters
nodes - Print node configuration
peerstatus [<nodes>] - Print status of nodes' remote connections
print <id> [<nodes>] - Print values of script variable at nodes
process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
quit - Exit shell
restart [--clean] [<nodes>] - Stop and then restart processing
scripts [-c] [<nodes>] - List the Bro scripts the nodes will load
start [<nodes>] - Start processing
status [<nodes>] - Summarize node status
stop [<nodes>] - Stop processing
top [<nodes>] - Show Bro processes ala top
update [<nodes>] - Update configuration of nodes on the fly
Commands provided by plugins:
ps.bro [<nodes>] - Show Bro processes on nodes' systems
2,599 posts | 762 followers
FollowAlibaba Clouder - August 2, 2019
Alibaba Clouder - June 13, 2019
Alibaba Clouder - February 25, 2019
Alibaba Clouder - June 25, 2018
Alibaba Clouder - June 13, 2019
Alibaba Clouder - June 13, 2019
2,599 posts | 762 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreMarketplace is an online market for users to search and quickly use the software as image for Alibaba Cloud products.
Learn MoreAutomate performance monitoring of all your web resources and applications in real-time
Learn MoreMore Posts by Alibaba Clouder