I decided to write out the steps I took to for installing Bro IDS 2.5 on Ubuntu 16.0x. Before we begin installing Bro from source we need to make sure we have all the correct dependencies.
On Ubuntu 16.0x you can run the following:
sudo apt-get install cmake make gcc g++ flex git bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
Installing Notifications
In order to get notification emails from Bro we’ll install Sendmail
sudo apt-get install sendmail
Installing GeoIP
Having GeoIP on your Bro box is a great addition.
sudo apt-get install libgeoip-dev
sudo chown -R sniper:sniper /usr/share/GeoIP/
cd /usr/share/GeoIP/
mv GeoIP.dat GeoIP.dat.old
mv GeoIPv6.dat GeoIPv6.dat.old
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip GeoLiteCity.dat.gz
gunzip GeoLiteCityv6.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat
mv GeoLiteCityv6.dat GeoIPCityv6.dat
Installing IPSumDump
wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz
gunzip ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar
cd ipsumdump-1.85/
./configure
make
sudo make install
Installing GPerftools
sudo apt-get install libgoogle-perftools-dev
Installing PF_Ring
git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel/
make && sudo make install
cd ../userland/lib
./configure --prefix=/opt/pfring
sudo make install
cd ../libpcap
./configure --prefix=/opt/pfring
sudo make install
cd ../tcpdump
./configure --prefix=/opt/pfring
sudo make install
sudo ldconfig
sudo modprobe pf_ring
To check if you have everything you need, enter:
modinfo pf_ring && cat /proc/net/pf_ring/info
Installing Bro from Source
git clone --recursive git://git.bro.org/bro
cd bro
./configure --with-pcap=/opt/pfring
make
sudo make install
Make sure that Bro is configured to use PF_Ring
ldd /usr/local/bro/bin/bro | grep pcap
Now adjust your PATH environment
export PATH=/usr/local/bro/bin:$PATH
echo 'export PATH=/usr/local/bro/bin:$PATH' >> ~/.bashrc
Now to test that GeoIP is working.
bro -e "print lookup_location(8.8.8.8);"
[country_code=US, region=CA, city=Mountain View, latitude=37.384499, longitude=-122.088097]
Configuring Bro
Next we need to configure Bro
The first step is letting Bro know which interface it needs to monitor.
sudo nano /usr/local/bro/etc/node.cfg
# Example BroControl node configuration. # # This example has a standalone node ready to go except for possibly changing # the sniffing interface. # This is a complete standalone configuration. Most likely you will # only need to change the interface.
[bro]
type=standalone host=localhost interface=eth0
Running Broctl
broctl
(I got the below error message concerning permissions since I was running as a non-root user.)
So I modified the permissions with “chown”.
sudo chown -R sniper:sniper /usr/local/bro/spool/
sudo chown -R sniper:sniper /usr/local/bro/logs/
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/broctl
Now we just need to start Bro
broctl
[BroControl] >install
[BroControl] >status
And we’re in business.
And as always, thank you for taking the time to read this. If you have any comments, questions, or critiques, please reach out to me on our FREE ML Security Discord Server – HERE
