How to Install Bro IDS 2.5 on Ubuntu 16.0x

I decided to write out the steps I took to for installing Bro IDS 2.5 on Ubuntu 16.0x. Before we begin installing Bro from source we need to make sure we have all the correct dependencies.

On Ubuntu 16.0x you can run the following:

sudo apt-get install cmake make gcc g++ flex git bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Installing Notifications
In order to get notification emails from Bro we’ll install Sendmail

sudo apt-get install sendmail

Installing GeoIP
Having GeoIP on your Bro box is a great addition.

sudo apt-get install libgeoip-dev
sudo chown -R sniper:sniper /usr/share/GeoIP/
cd /usr/share/GeoIP/
mv GeoIP.dat GeoIP.dat.old
mv GeoIPv6.dat GeoIPv6.dat.old
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCityv6.dat

Installing IPSumDump

gunzip ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar
cd ipsumdump-1.85/
sudo make install

Installing GPerftools

sudo apt-get install libgoogle-perftools-dev

Installing PF_Ring

git clone
cd PF_RING/kernel/
make && sudo make install
cd ../userland/lib
./configure --prefix=/opt/pfring
sudo make install
cd ../libpcap
./configure --prefix=/opt/pfring
sudo make install
cd ../tcpdump
./configure --prefix=/opt/pfring
sudo make install
sudo ldconfig
sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

Installing Bro from Source

git clone --recursive git://
cd bro
./configure --with-pcap=/opt/pfring
sudo make install

Make sure that Bro is configured to use PF_Ring

ldd /usr/local/bro/bin/bro | grep pcap
Bro IDS Image 1 - Confirming Pfring Installation
Bro IDS Image 1 – Confirming Pfring Installation

Now adjust your PATH environment

export PATH=/usr/local/bro/bin:$PATH
echo 'export PATH=/usr/local/bro/bin:$PATH' >> ~/.bashrc

Now to test that GeoIP is working.

bro -e "print lookup_location(;"

[country_code=US, region=CA, city=Mountain View, latitude=37.384499, longitude=-122.088097]

Configuring Bro
Next we need to configure Bro

The first step is letting Bro know which interface it needs to monitor.

sudo nano /usr/local/bro/etc/node.cfg
# Example BroControl node configuration.
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.


type=standalone host=localhost interface=eth0

Running Broctl


(I got the below error message concerning permissions since I was running as a non-root user.)

Bro IDS Image 2 – Local User Permission Error
Bro IDS Image 2 – Local User Permission Error

So I modified the permissions with “chown”.

sudo chown -R sniper:sniper /usr/local/bro/spool/
sudo chown -R sniper:sniper /usr/local/bro/logs/
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/broctl
Bro IDS Image 3 – Running Bro
Bro IDS Image 3 – Running Bro

Now we just need to start Bro


[BroControl] >install
[BroControl] >status

Bro IDS Image 4 – Checking Bro Status
Bro IDS Image 4 – Checking Bro Status

And we’re in business.

And as always, thank you for taking the time to read this. If you have any comments, questions, or critiques, please reach out to me on our FREE ML Security Discord Server – HERE

Related Posts