The Bro security suite is an adaptable, powerful, network intrusion detection system for Linux. It works by running in the background, analyzing, and logging traffic passively.
The app has many features, is open source, and is lauded by many in the security community for its open source nature, and efficiency.
To use the Bro network security tool, you’ll need a server running a Linux OS that has at least 2 GB of physical RAM.
Note: don’t have a dedicated server? Don’t worry! A traditional desktop computer running Ubuntu will work with at least 2 GB of RAM, and decent hardware will do! Just make sure that you can always keep it on!
During the installation portion of the tutorial, we’ll go over how to set up the Bro security suite on Ubuntu Server, as that’s what most people use for their server needs. With that said, the installation instructions aren’t specific to Ubuntu, and the Bro tool can run on nearly any Linux server OS, and the developer has instructions for all major distributions.
Set up GeoIP database
The Bro network security tool needs a database of IP addresses to scan against for security purposes so, before attempting to install the Bro software itself, you’ll need to download the latest IPv4 and IPv6 GeoIP database files. Using the wget tool, download both database files to Ubuntu.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
Extract the GeoIP GZ archives with the gzip command.
gzip -d GeoLiteCity.dat.gz gzip -d GeoLiteCityv6.dat.gz
Put the GeoIP database files in the /usr/share/GeoIP/ folder on Ubuntu using the mv command.
sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Setting up the Bro network security tool starts by making the directory it will live in on Ubuntu. According to the official documentation, this folder is /opt/.
Installation starts by enabling the Ubuntu Universe software repository.
sudo add-apt-repository universe
Next, update Ubuntu’s package index with update.
sudo apt update
Using the Apt package manager, install Bro, and all of its related packages from the Ubuntu Universe repo.
sudo apt install bro bro-aux bro-common bro-pkg broctl
To use the Bro network security tool, you’ll need to set up a network card for the application to use. By default, the app is set to use “Eth0.” This device likely isn’t going to be the correct network device for most people, so you must change it by editing the node.cfg file.
Note: If you’re unsure of what your network interface is, it’s easy to find by running the ip link command.
sudo nano /etc/bro/node.cfg
Then, press Ctrl + W to start the search function in Nano. Once the search box is open, write “interface=eth0″ and press Enter on the keyboard to immediately jump to the network interface section of the config file.
Replace “eth0” with your network interface and save the configuration file by pressing Ctrl + O.
Set IP range
Now that the network interface is set for Bro, you must set the IP range for the program to monitor. Open up the /etc/bro/networks.cfg file in the Nano text editor.
sudo nano /etc/bro/networks.cfg
As you load up the networks.cfg file, you’ll see some default examples. Erase these defaults, and replace them with the IP address from the network card set earlier.
When the IP information is set, save the configuration in Nano by pressing Ctrl + O on the keyboard.
Set default Email address for Bro
The Bro application has an email system. However, it must be set correctly to work. To set it, open /etc/bro/broctl.cfg in Nano.
sudo nano /etc/bro/broctl.cfg
Once in Nano, press Ctrl + W and enter “MailTo” to jump to the email section of the file. Then, add in a valid Email address for Bro to use.
Start up Bro
Bro needs to be tweaked before you can use it. Launch a terminal window and run the command below to access the program’s shell interface.
Once in the shell, use it to set up the default configuration file for your Ubuntu machine by running the install command.
After running the install command, start up the service with:
Then, exit the shell by running exit.
Need to turn off Bro? Log into the broctl shell and run:
After a long, tedious, setup process, the Bro security system is up and running on your Ubuntu server. Let it run in the background, and it will automatically log all network intrusions in /var/log/bro.
If you’d like to monitor it’s scanning in real time, enter the following tail command.
tail -f /var/log/bro/current/conn.log
Alternatively, to view security notices, do:
tail -f /var/log/bro/current/notice.log