Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Network Analysis: How To Install Bro On Ubuntu 16.04  (Read 1588 times)

0 Members and 1 Guest are viewing this topic.

jibinw

  • Guest
Network Analysis: How To Install Bro On Ubuntu 16.04
« on: April 07, 2018, 03:56:03 pm »
Bro is an open source network analysis framework with a focus on network security monitoring. It is the result of 15 years of research, widely used by major universities, research labs, supercomputing centers and many open-science communities.

Getting Started

First of all, install all the required dependencies, by executing the following command:

Code: [Select]
# apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
Code: [Select]
Install GeoIP Database for IP Geolocation
Bro depends on GeoIP for address geolocation. Install both the IPv4 and IPv6 versions:

Code: [Select]
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

Decompress both archives:
Code: [Select]
$ gzip -d GeoLiteCity.dat.gz
$ gzip -d GeoLiteCityv6.dat.gz

Move the decompressed files to /usr/share/GeoIP directory:
Code: [Select]
# mvGeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
# mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Now, it’s possible to build Bro from source.

Build Bro

The latest Bro development version can be obtained through git repositories. Execute the following command:
Code: [Select]
$ git clone --recursive git://git.bro.org/bro
Go to the cloned directory and simply build Bro with the following commands:

Code: [Select]
$ cd bro
$ ./configure
$ make

The make command will require some time to build everything. The exact amount of time, of course, depends on the server performances.

The configure script can be executed with some argument to specify what dependencies you want build to, in particular the --with-* options.

Install Bro

Inside the cloned bro directory, execute:

Code: [Select]
# make install
The default installation path is /usr/local/bro.
Configure Bro

Bro configuration files are located in the /usr/local/bro/etc directory. There are three files:
   
  • node.cfg, used to configure which node (or nodes) to monitor.
  • broctl.cfg, the BroControl configuration file.
  • networks.cgf, containing a list of networks in CIDR notation.

Configure Mail Settings

Open the broctl.cfg configuration file:

Code: [Select]
# $EDITOR /usr/local/bro/etc/broctl.cfg
Look for the Mail Options section, and edit the MailTo line as follow:

Code: [Select]
# Recipient address for emails sent out by Bro and BroControl
MailTo = admin@example.com

Save and close. There are many other options, but in most cases the defaults are good enough.

Choose Nodes To Monitor


Out of the box, Bro is configured to operate in the standalone mode. In this tutorial we are doing a standalone installation, so it’s not necessary to change very much. However, look at the node.cfg configuration file:
Code: [Select]
# $EDITOR /usr/local/bro/etc/node.cfg
In the [bro] section, you should see something like this:

Code: [Select]
[bro]
type=standalone
host=localhost
interface=eth0

Make sure that the interface matches the public interface of the Ubuntu 16.04 server.

Save and exit.

Configure Node’s Networks

The last file to edit is network.cfg. Open it with a text editor:

Code: [Select]
# $EDITOR /usr/local/bro/etc/networks.cfg
By default, you should see the following content:

Code: [Select]
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

10.0.0.0/8          Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/16      Private IP space

Delete the three entries (which are just example for how to use this file), and enter the public and private IP space of your server, in the format:
Code: [Select]
X.X.X.X/X        Public IP space
X.X.X.X/X        Private IP space

Save and exit.

Manage Bro Installation with BroControl

Managing Bro requires using BroControl, which comes in form of an interactive shell and a command line tool. Start the shell with:
Code: [Select]
# /usr/local/bro/bin/broctl
To use as a command line tool, just pass an argument to the previous command, for example:

Code: [Select]
# /usr/local/bro/bin/broctl status
This will check Bro’s status, by showing output like:

Code: [Select]
Name         Type       Host          Status    Pid    Started
bro          standalone localhost     running   6807   20 Jul 12:30:50

Conclusion

This concludes the Bro’s installation tutorial. We used the source based installation because it is the most efficient way to obtain the latest version available, however this network analysis framework can also be downloaded in pre-built binary format.