How to Install Bro IDS 2.5 on Ubuntu 16.0x

Next Story

SkyDog Con 2016 CTF - Walk Through Guide

I decided to write out the steps I took to for installing Bro IDS 2.5 on Ubuntu 16.0x. Before we begin installing Bro from source we need to make sure we have all the correct dependencies.

On Ubuntu 16.0x you can run the following:

sudo apt-get install cmake make gcc g++ flex git bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Installing Notifications
In order to get notification emails from Bro we’ll install Sendmail

sudo apt-get install sendmail

Installing GeoIP
Having GeoIP on your Bro box is a great addition.

sudo apt-get install libgeoip-dev
sudo chown -R sniper:sniper /usr/share/GeoIP/
cd /usr/share/GeoIP/
mv GeoIP.dat GeoIP.dat.old
mv GeoIPv6.dat GeoIPv6.dat.old
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCityv6.dat

Installing IPSumDump

wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz
gunzip ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar
cd ipsumdump-1.85/
./configure
make
sudo make install

Installing GPerftools

sudo apt-get install libgoogle-perftools-dev

Installing PF_Ring

git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel/
make && sudo make install
cd ../userland/lib
./configure --prefix=/opt/pfring
sudo make install
cd ../libpcap
./configure --prefix=/opt/pfring
sudo make install
cd ../tcpdump
./configure --prefix=/opt/pfring
sudo make install
sudo ldconfig
sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

Installing Bro from Source

git clone --recursive git://git.bro.org/bro
cd bro
./configure --with-pcap=/opt/pfring
make
sudo make install

Make sure that Bro is configured to use PF_Ring

ldd /usr/local/bro/bin/bro | grep pcap
Bro IDS Image 1 - Confirming Pfring Installation
Bro IDS Image 1 – Confirming Pfring Installation

Now adjust your PATH environment

export PATH=/usr/local/bro/bin:$PATH
echo 'export PATH=/usr/local/bro/bin:$PATH' >> ~/.bashrc

Now to test that GeoIP is working.

bro -e "print lookup_location(8.8.8.8);"

[country_code=US, region=CA, city=Mountain View, latitude=37.384499, longitude=-122.088097]

Configuring Bro
Next we need to configure Bro

The first step is letting Bro know which interface it needs to monitor.

sudo nano /usr/local/bro/etc/node.cfg
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

Running Broctl

broctl

(I got the below error message concerning permissions since I was running as a non-root user.)

Bro IDS Image 2 – Local User Permission Error
Bro IDS Image 2 – Local User Permission Error

So I modified the permissions with “chown”.

sudo chown -R sniper:sniper /usr/local/bro/spool/
sudo chown -R sniper:sniper /usr/local/bro/logs/
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/broctl
Bro IDS Image 3 – Running Bro
Bro IDS Image 3 – Running Bro

 

Now we just need to start Bro

broctl

[BroControl] >install
[BroControl] >status

Bro IDS Image 4 – Checking Bro Status
Bro IDS Image 4 – Checking Bro Status

And we’re in business.