Table of Contents
- Step 1: Update the system
- Step 2: Install dependencies
- Step 3: Install Bro IDS
- Step 4: Configure Bro IDS
- Step 5: Launch BroCtl
- Step 5: Test your installation
If you are using a different system, please check our other tutorials.
Bro is an open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and help with troubleshooting.
Before installing Bro, you’ll need to ensure that some dependencies are in place:
- OpenSSL libraries
- BIND8 library
- Bash (for BroControl)
- Python 2.6+ or greater (for BroControl)
Sendmail is not required, but strongly recommended.
Step 1: Update the system
Before installing any packages it’s recommended to update the system packages. Run the command
dnf --assumeyes update. This will download and install latest versions of the system packages. Package manager will automatically answer yes to prompts offered. It can take some time.
Step 2: Install dependencies
You’ll need to install required packages on your system. Run the following command:
dnf --assumeyes install libpcap openssl python zlib sendmail
Step 3: Install Bro IDS
dnf install --assumeyes bro
This command will install
/bin directory. And now let’s configure it.
Step 4: Configure Bro IDS
mkdir -p /var/log/bro and
mkdir -p /var/spool
Configuring the node.cfg file
Since Fedora 2x interface naming was changed, so let’s find out current iface name:
ls /sys/class/net. Output should be similar to this one:
ens3 lo, or this one:
eth0 lo. In the first case we are interested in
ens3 interface name, in the second one —
eth0. Let’s assume that we have
Now, examine file
/etc/bro/node.cfg. Run command
less /etc/bro/node.cfg. At the line 11 there is network interface specification:
interface=eth0. If your iface name is
eth0 — let file without changes and continue to the next step. Otherwise — change it with
ens3. For that run this command:
sed -i 's/eth0/ens3'. Option
-i stands for changing the file in-place.
s will substitute value enclosed between first and second slashes to the value between second and third one.
Configuring the broctl.cfg file
Add variables to the config file:
echo "LibDirInternal = /usr/lib/python2.7/site-packages/BroControl/" >> /etc/bro/broctl.cfg
echo "SpoolDir = /var/spool" >> /etc/bro/broctl.cfg
echo "LogDir = /var/log/bro" >> /etc/bro/broctl.cfg
echo "CfgDir = /etc/bro" >> /etc/bro/broctl.cfg
Step 5: Launch BroCtl
Now we can deploy our configured node and start logging:
broctl deploy. You’ll see output like this:
cannot get list of local IP addresses checking configurations ... installing ... removing old policies in /var/spool/installed-scripts-do-not-touch/site ... removing old policies in /var/spool/installed-scripts-do-not-touch/auto ... creating policy directories ... installing site policies ... generating standalone-layout.bro ... generating local-networks.bro ... generating broctl-config.bro ... generating broctl-config.sh ... updating nodes ... stopping ... stopping bro ... starting ... starting bro ...
If you didn’t get any errors — bro is deployed.
Step 5: Test your installation
Now let’s look at the logs:
ls -la /var/log/bro.
Output should be similar to this one:
total 12 drwxr-xr-x 3 root root 4096 Jun 13 10:11 . drwxr-xr-x 1 root root 4096 Jun 13 10:04 .. drwxr-xr-x 2 root root 4096 Jun 13 10:11 2017-06-13 lrwxrwxrwx 1 root root 14 Jun 13 10:11 current -> /var/spool/bro
Run this command to tail logs:
tail -f /var/log/bro/current/conn.log and query your ip from browser.
If everything was configured correctly, you’ll see log messages.
Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!