Reserve the NVIDIA GH200 Grace Hopper™ Superchip at Vultr today.
This article is outdated and may not work correctly for current operating systems or software.
Bro is a powerful open-source network analysis framework. Bro's primary focus is on network security monitoring. Bro also provides a platform for general traffic analysis as well as trouble-shooting assistance and performance measurements. It offers extensive log files that include a vast array of data in well-structured log files suitable for post-processing with external applications. These logs include:
All HTTP sessions with their requested URLs, key headers, MIME types and server responses.
DNS requests with replies.
Key content of SMTP sessions.
Bro also offer a range of analysis and detection tasks such as:
Extracting files from HTTP sessions.
Detecting SSH brute-force attacks.
Detecting malware by interfacing with external registries.
Reporting vulnerable versions of software seen on the network.
Detect SQL injection attacks.
Bro can be installed as a standalone system or as part of a Bro Cluster which links a set of systems to jointly analyze the traffic of a network. In this tutorial we will be installing Bro from source in standalone mode.
An Ubuntu 16.04 instance with at least 1 GB of memory.
A non-root sudo user.
Before beginning our installation, it is recommended that you update your system.
sudo apt-get update sudo apt-get upgrade
Next we will need to install all the required packages onto your server.
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev sendmail sendmail-bin
Next we will install Bro 2.5.2 from source. Visit Bro's download page to ensure you are using the latest build.
sudo mkdir -p /nsm/bro cd ~ wget https://www.bro.org/downloads/bro-2.5.2.tar.gz tar -xvzf bro-2.5.2.tar.gz cd bro-2.5.2 ./configure --prefix=/nsm/bro make sudo make install export PATH=/nsm/bro/bin:$PATH
First we will tell Bro which interface we would like to monitor. This is done be editing the configuration file
sudo nano /nsm/bro/etc/node.cfg
Find the line
interface=eth0 and change it to your interface.
You can find which interface you are using with the following.
Next we will need to tell Bro where to send the log email by adding your email address to
sudo nano /nsm/bro/etc/broctl.cfg
MailTo line and add your email address.
MailTo = email@example.com
Bro is started using
BroControl, which we will need to install.
sudo /nsm/bro/bin/broctl install exit
Now you can start Bro.
sudo /nsm/bro/bin/broctl deploy
Next we will set Bro to run on startup by adding it to
sudo nano /etc /rc.local
Add the following line, then close and save the file.
Next we will add a cron job.
Add the following to maintain Bro.
0-59/5 * * * * /nsm/bro/bin/broctl cron
To test Bro, we will view the
conn.log file in real time using
tail -f /nsm/bro/logs/current/conn.log
You will be able to see the output from Bro as it is printed to your terminal.