Network Analysis: How To Install Bro On Ubuntu 16.04

Bro Network Analysis Logo

Introduction: Bro Network Analysis Framework

Bro is an open source network analysis framework with a focus on network security monitoring. It is the result of 15 years of research, widely used by major universities, research labs, supercomputing centers and many open-science communities. It is developed mainly at the International Computer Science Institute, in Berkeley, and the National Center for Supercomputing Applications, in Urbana-Champaign.

Bro has various features, including the following:

  • Bro’s scripting language enables site-specific monitoring policies
  • Targeting of high-performance networks
  • Analyzers for many protocols, enabling high-level semantic analysis at the application level
  • It keeps extensive application-layer stats about the network it monitors.
  • Bro interfaces with other applications for real-time exchange of information
  • It comprehensively logs everything and provides a high-level archive of a network’s activity.

This tutorial explains how to build from source and install Bro on an Ubuntu 16.04 Server.

Prerequisites

Bro has many dependencies:

Building from source requires also:

  • CMake 2.8+
  • Make
  • GCC 4.8+ or Clang 3.3+
  • SWIG
  • GNU Bison
  • Flex
  • Libpcap headers
  • OpenSSL headers
  • zlib headers

Getting Started

First of all, install all the required dependencies, by executing the following command:

# apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Install GeoIP Database for IP Geolocation

Bro depends on GeoIP for address geolocation. Install both the IPv4 and IPv6 versions:

$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Decompress both archives:

$ gzip -d GeoLiteCity.dat.gz
$ gzip -d GeoLiteCityv6.dat.gz

Move the decompressed files to /usr/share/GeoIP directory:

# mvGeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
# mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Now, it’s possible to build Bro from source.

Build Bro

The latest Bro development version can be obtained through git repositories. Execute the following command:

$ git clone --recursive git://git.bro.org/bro

Go to the cloned directory and simply build Bro with the following commands:

$ cd bro
$ ./configure
$ make

The make command will require some time to build everything. The exact amount of time, of course, depends on the server performances.

The configure script can be executed with some argument to specify what dependencies you want build to, in particular the --with-* options.

Install Bro

Inside the cloned bro directory, execute:

# make install

The default installation path is /usr/local/bro.

Configure Bro

Bro configuration files are located in the /usr/local/bro/etc directory. There are three files:

  • node.cfg, used to configure which node (or nodes) to monitor.
  • broctl.cfg, the BroControl configuration file.
  • networks.cgf, containing a list of networks in CIDR notation.

Configure Mail Settings

Open the broctl.cfg configuration file:

# $EDITOR /usr/local/bro/etc/broctl.cfg

Look for the Mail Options section, and edit the MailTo line as follow:

# Recipient address for emails sent out by Bro and BroControl
MailTo = admin[email protected]

Save and close. There are many other options, but in most cases the defaults are good enough.

Choose Nodes To Monitor

Out of the box, Bro is configured to operate in the standalone mode. In this tutorial we are doing a standalone installation, so it’s not necessary to change very much. However, look at the node.cfg configuration file:

# $EDITOR /usr/local/bro/etc/node.cfg

In the [bro] section, you should see something like this:

[bro]
type=standalone
host=localhost
interface=eth0

Make sure that the interface matches the public interface of the Ubuntu 16.04 server.

Save and exit.

Configure Node’s Networks

The last file to edit isĀ network.cfg. Open it with a text editor:

# $EDITOR /usr/local/bro/etc/networks.cfg

By default, you should see the following content:

# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

10.0.0.0/8          Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/16      Private IP space

Delete the three entries (which are just example for how to use this file), and enter the public and private IP space of your server, in the format:

X.X.X.X/X        Public IP space
X.X.X.X/X        Private IP space

Save and exit.

Manage Bro Installation with BroControl

Managing Bro requires using BroControl, which comes in form of an interactive shell and a command line tool. Start the shell with:

# /usr/local/bro/bin/broctl

To use as a command line tool, just pass an argument to the previous command, for example:

# /usr/local/bro/bin/broctl status

This will check Bro’s status, by showing output like:

Name         Type       Host          Status    Pid    Started
bro          standalone localhost     running   6807   20 Jul 12:30:50

Conclusion

This concludes the Bro’s installation tutorial. We used the source based installation because it is the most efficient way to obtain the latest version available, however this network analysis framework can also be downloaded in pre-built binary format.

See you next time!