In this tutorial, we will show you how to install Bro Network Security Monitor on your Ubuntu 16.04 LTS. For those of you who didn’t know, The Bro Network Security Monitor is an open-source network monitoring framework. In a nutshell, Bro monitors packet flows over a network with a network tap installed with optional bonded network interfaces, creates high-level “flow” events from them, and stores the events as single tab-separated lines in a log file. You can then parse these log files to data-mine for information about the network traffic on the network you are monitoring. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts such as all HTTP sessions with their requested URIs, key headers, MIME types, server responses, DNS requests with replies, SSL certificates, key content of SMTP sessions, and much more.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo
‘ to the commands to get root privileges. I will show you the step-by-step installation of the Bro Network Security Monitor in Ubuntu 16.04 LTS Xenial Xerus.
Prerequisites
- A server running one of the following operating systems: Ubuntu 16.04, and any other Debian-based distribution like Linux Mint.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo user
or access to theroot user
. We recommend acting as anon-root sudo user
, however, as you can harm your system if you’re not careful when acting as the root.
Install Bro Network Security Monitor on Ubuntu 16.04 LTS
Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get
commands in the terminal.
sudo apt-get update sudo apt-get upgrade
Step 2. Install Required Dependencies.
Install all the required dependencies, by executing the following command:
apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev
Step 3. Installing the GeoIP Database for IP Geolocation.
You will also need to install GeoIP on your system. You can install it with the following command:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz gzip -d GeoLiteCity.dat.gz gzip -d GeoLiteCityv6.dat.gz
Now move the GeoIP files over to the default location /usr/share/GeoIP/
, we need to rename them to match the location that Bro is expecting:
mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Step 4. Installing Bro Network Security Monitor.
First, download the latest version of the Bro source from their website. You can do this with the following command:
wget https://www.bro.org/downloads/bro-2.5.1.tar.gz tar zxvf bro-2.5.1.tar.gz cd bro-2.5.1 ./configure make make install
Once the Bro is installed, adjust your PATH environment with the following command:
export PATH=/usr/local/bro/bin:$PATH
Step 5. Configure Bro Network Security Monitor.
A bro is a powerful tool, to get started quickly we will follow the guide on the project page.
Edit the following files before starting:
$PREFIX/etc/node.cfg -- configure network interface to monitor $PREFIX/etc/networks.cfg -- configure local networks $PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation
To start the program simply enter broctl
at a shell.
You are now in the broctl
shell, from where you can give bro commands.
[BroControl] >
The first command to run, since this is a new installation is to run install. We will then run start:
[BroControl] > install warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run) creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > start starting bro ... [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 23465 0 21 Jul 10:11:55
You now have Bro Network Security Monitor running on your system.
Congratulations! You have successfully installed Zeek Network Security Monitor. Thanks for using this tutorial for installing Bro Network Security Monitor on your Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you check the official Bro Network Security Monitor website.