×
Community Blog How to Install Bro IDS on Ubuntu 16.04

How to Install Bro IDS on Ubuntu 16.04

In this tutorial, we will be installing and configuring Bro IDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Bro is a free, open source and powerful network analysis framework that can be used for network security monitoring. Bro IDS has an ability to monitor traffic in a very high-performance environment and it is much different from the typical IDS. You can easily detect brute-force attacks against different network services and SQL injection attacks using Bro. It is specifically well-suited for scientific environments. Bro is typically deployed at a site's upstream link and monitors all external packets coming in or going out. Bro comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer. Bro is most widely used by major universities, supercomputing centers and research labs.

In this tutorial, we will be installing and configuring Bro IDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance.
  • A root password is set up to your instance.
  • A static IP address 192.168.0.105 is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Required Packages

Before starting, you will need to install some dependencies required by Bro IDS. You can install all of them by just running the following command:

apt-get install cmake make gcc g++ flex git bison python-dev swig libgeoip-dev libpcap-dev libssl-dev zlib1g-dev -ylibgeoip-dev -y

Next, you will need to download a GeoIP database for IP address geolocation. You can download it with the following command:

cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Next, extract the downloaded database with the following command:

tar -xvzf GeoLiteCity.dat.gz
tar -xvzf GeoLiteCityv6.dat.gz

Next, rename both extracted files as shown below:

mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCity.dat

Install Bro IDS

Next, you will need to download the latest version of Bro from their official website. You can download it with the following command:

wget http://www.bro.org/downloads/release/bro-2.4.1.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf bro-2.4.1.tar.gz

Next, create a directory for Bro installation:

mkdir /opt/bro

Next, change the directory to the bro-2.4.1 and configure it with the following command:

cd bro-2.4.1
./configure --prefix=/opt/bro

Output:

Broker:            
Broccoli:          true
Broctl:            true
Aux. Tools:        true

GeoIP:             true
gperftools found:  false
        tcmalloc:  false
       debugging:  false
jemalloc:          false

================================================================

-- Configuring done
-- Generating done
-- Build files have been written to: /root/bro-2.4.1/build

Next, install Bro with the following command:

make 
make install

Once the installation is completed, you should see the following Output:

-- Set runtime path of "/opt/bro/lib/broctl/_SubnetTree.so" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/capstats
-- Set runtime path of "/opt/bro/bin/capstats" to "/opt/bro/lib"
-- Installing: /opt/bro/bin/trace-summary
-- Installing: /opt/bro/share/man/man1/trace-summary.1
-- Installing: /opt/bro/bin/bro-cut
-- Installing: /opt/bro/share/man/man1/bro-cut.1
-- Installing: /opt/bro/etc/broccoli.conf
-- Installing: /opt/bro/bin/broccoli-config
-- Installing: /opt/bro/lib/libbroccoli.so.5.1.0
-- Installing: /opt/bro/lib/libbroccoli.so.5
-- Installing: /opt/bro/lib/libbroccoli.so
-- Set runtime path of "/opt/bro/lib/libbroccoli.so.5.1.0" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/libbroccoli.a
-- Installing: /opt/bro/include/broccoli.h
-- Installing: /opt/bro/lib/broctl/broccoli.py
-- Installing: /opt/bro/lib/broctl/_broccoli_intern.so
-- Set runtime path of "/opt/bro/lib/broctl/_broccoli_intern.so" to "/opt/bro/lib"
-- Installing: /opt/bro/lib/broctl/broccoli_intern.py
make[1]: Leaving directory '/root/bro-2.4.1/build'

Next, you will need to export PATH environment for Bro. You can do this using the following command:

export PATH=/opt/bro/bin:$PATH

Next, you will need to add the PATH environment in ~/.profile file to make the change permanent.

nano ~/.profile

Add the following line:

PATH=/opt/bro/bin:$PATH

Save and close the file, when you are finished.

Configure Bro IDS

First, you will need to specify the network interface which you want to monitor. You can do this by editing /opt/bro/etc/node.cfg file:

nano /opt/bro/etc/node.cfg

Make the following lines as per your network interface:

[bro] 
type=standalone 
host=localhost 
interface=eth0

Save and close the file. Then, specify your network IP range that you want to monitor.

nano /opt/bro/etc/networks.cfg

Add the following lines:

192.168.1.0/24 Private IP space 
192.168.0.0/16 Private IP space

Save and close the file. Then, you will need to configure broctl.cfg file for mail and logging settings:

nano /opt/bro/etc/broctl.cfg

Make the following changes:

# Mail Options

# Recipient address for all emails sent out by Bro and BroControl.
MailTo = admin@example.com

Save and close the file. Then, start service with the following command:

broctl deploy

Output:

checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping bro ...
starting ...
starting bro ...

Next, you can check the status of Bro service with the following command:

broctl status

Output:

Getting process status ...
Getting peer status ...
Name         Type       Host          Status    Pid    Peers  Started
bro          standalone localhost     running   22983  0      27 Oct 23:16:55

You can also start, restart and stop Bro service with the following command:

broctl start
broctl restart
broctl stop

Configure Cron for Bro

Next, you will need to setup Cron service for Bro. So it can restart Bro if it crashes. You can do this by editing /etc/cron.d/bro file:

nano /etc/cron.d/bro

Make the following changes:

*/5 * * * * root /opt/bro/bin/broctl cron

Save and close the file. Then, restart Cron service with the following command:

systemctl restart cron

Next, you will also need to add Bro service in /etc/rc.local file. So it can start on system startup:

nano /etc/rc.local

Add the following line:

/opt/bro/bin/broctl start

Save and close the file, when you are finished.

Test Bro IDS

Bro IDS is now installed and running. It's time to test Bro IDS.

On the remote system, run the Nmap port scan against your server:

nmap -PN -sS 192.168.0.105

Next, go to the server machine and check the notice.log and conn.log file with the following command:

tail -f /opt/bro/logs/current/notice.log

You should see the following output:

#separator \x09
#set_separator    ,
#empty_field    (empty)
#unset_field    -
#path    notice
#open    2018-10-27-23-25-55
#fields    ts    uid    id.orig_h    id.orig_p    id.resp_h    id.resp_p    fuid    file_mime_type    file_desc    proto    note    msg    sub    src    dst    p    n    peer_descr    actions    suppress_for    dropped    remote_location.country_code    remote_location.region    remote_location.city    remote_location.latitude    remote_location.longitude
#types    time    string    addr    port    addr    port    string    string    string    enum    enum    string    string    addr    addr    port    count    string    set[enum]    interval    bool    string    string    string    double    double
1540662955.235634    -    -    -    -    -    -    -    -    -    Scan::Port_Scan    192.168.0.104 scanned at least 15 unique ports of host 192.168.0.105 in 0m1s    local    192.168.0.104    192.168.0.105    -    -    bro    Notice::ACTION_LOG    3600.000000    F    -    -    -    -    -
1540662964.587979    -    -    -    -    -    -    -    -    -    PacketFilter::Dropped_Packets    1162 packets dropped after filtering, 2621 received, 2621 on link    -    -    -    -    -    bro    Notice::ACTION_LOG    3600.000000    F-    -    -    -    -

Next, check conn.log file:

tail -f /opt/bro/logs/current/conn.log

You should see the following output:

1540662964.810179    CjKrCF2qvnQdIf4Qf7    192.168.0.104    48691    192.168.0.105    5678    tcp    -    0.000011    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.810226    CeH5hL24qgTK2Dmx61    192.168.0.104    48691    192.168.0.105    1043    tcp    -    0.000010    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.909912    C1KWIM3Y8LUW0T9cVe    192.168.0.104    48692    192.168.0.105    5678    tcp    -    0.000039    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.910039    CdvPG22cukVMONXJ5l    192.168.0.104    48692    192.168.0.105    1688    tcp    -    0.000011    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.910087    C8nAx11w44P6iJKBdg    192.168.0.104    48692    192.168.0.105    1132    tcp    -    0.000009    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662964.912367    CNahQj2KriyVP4BuCj    192.168.0.104    48692    192.168.0.105    1043    tcp    -    0.000022    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662965.009130    CACQ4I25WEXc0xKY5    192.168.0.104    48691    192.168.0.105    1080    tcp    -    0.000042    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662965.109684    Cee9pu2i9MGH5Mqsy2    192.168.0.104    48692    192.168.0.105    1080    tcp    -    0.000036    0    0    REJ    T    T    0    Sr    1    44    1    40    (empty)
1540662913.955455    CEow3k3Zlv5eH1jy34    fe80::8bd:39bd:bab7:b74e    5353    ff02::fb    5353    udp    dns    67.271796    1842    0    S0    F    F    0    D    24    2994    0    0    (empty)
1540662913.954228    CSu95nzCQCsI6G6ea    192.168.0.103    5353    224.0.0.251    5353    udp    dns    67.271164    1842    0    S0    T    F    0    D    24    2514    0    0    (empty)
1540662958.663997    C3CWidZr5IPULfkw6    192.168.0.105    35502    91.189.89.199    123    udp    -    0.133998    0    48    SHR    T    F    0    Cd    0    0    1    76    (empty)
1540662963.865028    CLK8oq2E1ShPsWliB2    192.168.0.104    60098    239.255.255.250    1900    udp    -    2.991177    688    0    S0    T    F    0    D    4    800    0    0    (empty)
1540662998.430665    CN58U54o3BVDhMaXId    192.168.0.103    5353    224.0.0.251    5353    udp    dns    13.527360    456    0    S0    T    F    0    D    6    624    0    0    (empty)
1540662998.432383    CCgHbI1g5k7Ognhf9h    fe80::8bd:39bd:bab7:b74e    5353    ff02::fb    5353    udp    dns    13.527121    456    0    S0    F    F    0    D    6    744    0    0    (empty)

You can also use broctl help command to list all the option available with broctl:

broctl help

Output:

BroControl Version 1.4

  capstats [<nodes>] [<secs>]      - Report interface statistics with capstats
  check [<nodes>]                  - Check configuration before installing it
  cleanup [--all] [<nodes>]        - Delete working dirs (flush state) on nodes
  config                           - Print broctl configuration
  cron [--no-watch]                - Perform jobs intended to run from cron
  cron enable|disable|?            - Enable/disable "cron" jobs
  deploy                           - Check, install, and restart
  df [<nodes>]                     - Print nodes' current disk usage
  diag [<nodes>]                   - Output diagnostics for nodes
  exec <shell cmd>                 - Execute shell command on all hosts
  exit                             - Exit shell
  install                          - Update broctl installation/configuration
  netstats [<nodes>]               - Print nodes' current packet counters
  nodes                            - Print node configuration
  peerstatus [<nodes>]             - Print status of nodes' remote connections
  print <id> [<nodes>]             - Print values of script variable at nodes
  process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
  quit                             - Exit shell
  restart [--clean] [<nodes>]      - Stop and then restart processing
  scripts [-c] [<nodes>]           - List the Bro scripts the nodes will load
  start [<nodes>]                  - Start processing
  status [<nodes>]                 - Summarize node status
  stop [<nodes>]                   - Stop processing
  top [<nodes>]                    - Show Bro processes ala top
  update [<nodes>]                 - Update configuration of nodes on the fly
  
Commands provided by plugins:

  ps.bro [<nodes>]                 - Show Bro processes on nodes' systems
0 0 0
Share on

Alibaba Clouder

2,599 posts | 764 followers

You may also like

Comments