LinuxTutorialsUbuntu

How To Install Bro Network Security Monitor on Ubuntu 16.04 LTS

Install Bro Network Security Monitor on Ubuntu 16.04 LTS

In this tutorial, we will show you how to install Bro Network Security Monitor on your Ubuntu 16.04 LTS. For those of you who didn’t know, The Bro Network Security Monitor is an open-source network monitoring framework. In a nutshell, Bro monitors packet flows over a network with a network tap installed with optional bonded network interfaces, creates high-level “flow” events from them, and stores the events as single tab-separated lines in a log file. You can then parse these log files to data-mine for information about the network traffic on the network you are monitoring. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts such as all HTTP sessions with their requested URIs, key headers, MIME types, server responses, DNS requests with replies, SSL certificates, key content of SMTP sessions, and much more.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Bro Network Security Monitor in Ubuntu 16.04 LTS Xenial Xerus.

Prerequisites

  • A server running one of the following operating systems: Ubuntu 16.04, and any other Debian-based distribution like Linux Mint.
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Install Bro Network Security Monitor on Ubuntu 16.04 LTS

Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get commands in the terminal.

sudo apt-get update
sudo apt-get upgrade

Step 2. Install Required Dependencies.

Install all the required dependencies, by executing the following command:

apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev

Step 3. Installing the GeoIP Database for IP Geolocation.

You will also need to install GeoIP on your system. You can install it with the following command:

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gzip -d GeoLiteCity.dat.gz
gzip -d GeoLiteCityv6.dat.gz

Now move the GeoIP files over to the default location /usr/share/GeoIP/, we need to rename them to match the location that Bro is expecting:

mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Step 4. Installing Bro Network Security Monitor.

First, download the latest version of the Bro source from their website. You can do this with the following command:

wget https://www.bro.org/downloads/bro-2.5.1.tar.gz
tar zxvf bro-2.5.1.tar.gz
cd bro-2.5.1
./configure
make 
make install

Once the Bro is installed, adjust your PATH environment with the following command:

export PATH=/usr/local/bro/bin:$PATH

Step 5. Configure Bro Network Security Monitor.

A bro is a powerful tool, to get started quickly we will follow the guide on the project page.

Edit the following files before starting:

$PREFIX/etc/node.cfg  -- configure network interface to monitor
$PREFIX/etc/networks.cfg -- configure local networks
$PREFIX/etc/broctl.cfg -- change MailTo address and the log rotation

To start the program simply enter broctl at a shell.

You are now in the broctl shell, from where you can give bro commands.

[BroControl] >

The first command to run, since this is a new installation is to run install. We will then run start:

[BroControl] > install
warning: cannot read '/opt/bro2/spool/broctl.dat' (this is ok on first run)
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > start
starting bro ...
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started              
bro        standalone localhost  running       23465  0      21 Jul 10:11:55

You now have Bro Network Security Monitor running on your system.

Congratulations! You have successfully installed Zeek Network Security Monitor. Thanks for using this tutorial for installing Bro Network Security Monitor on your Ubuntu 16.04 LTS system. For additional help or useful information, we recommend you check the official Bro Network Security Monitor website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

Save

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button