Table of Contents
Was this article helpful?

1  out of  1 found this helpful

Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

Installing Bro IDS on Ubuntu 16.04

Last Updated: Fri, Mar 9, 2018
Linux Guides Networking System Admin Ubuntu
Archived content

This article is outdated and may not work correctly for current operating systems or software.


Bro is a powerful open-source network analysis framework. Bro's primary focus is on network security monitoring. Bro also provides a platform for general traffic analysis as well as trouble-shooting assistance and performance measurements. It offers extensive log files that include a vast array of data in well-structured log files suitable for post-processing with external applications. These logs include:

  • All HTTP sessions with their requested URLs, key headers, MIME types and server responses.

  • DNS requests with replies.

  • Key content of SMTP sessions.

  • SSL certificates.

Bro also offer a range of analysis and detection tasks such as:

  • Extracting files from HTTP sessions.

  • Detecting SSH brute-force attacks.

  • Detecting malware by interfacing with external registries.

  • Reporting vulnerable versions of software seen on the network.

  • Detect SQL injection attacks.

Bro can be installed as a standalone system or as part of a Bro Cluster which links a set of systems to jointly analyze the traffic of a network. In this tutorial we will be installing Bro from source in standalone mode.


  • An Ubuntu 16.04 instance with at least 1 GB of memory.

  • A non-root sudo user.

Step 1: Update System

Before beginning our installation, it is recommended that you update your system.

sudo apt-get update

sudo apt-get upgrade

Step 2: Install Dependencies

Next we will need to install all the required packages onto your server.

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev sendmail sendmail-bin

Step 3: Install Bro

Next we will install Bro 2.5.2 from source. Visit Bro's download page to ensure you are using the latest build.

sudo mkdir -p /nsm/bro

cd ~


tar -xvzf bro-2.5.2.tar.gz

cd bro-2.5.2

./configure --prefix=/nsm/bro


sudo make install

export PATH=/nsm/bro/bin:$PATH

Step 4: Configure Bro

First we will tell Bro which interface we would like to monitor. This is done be editing the configuration file /nsm/bro/etc/node.cfg.

sudo nano /nsm/bro/etc/node.cfg

Find the line interface=eth0 and change it to your interface.


You can find which interface you are using with the following.


Next we will need to tell Bro where to send the log email by adding your email address to /nsm/bro/etc/broctl.cfg.

sudo nano /nsm/bro/etc/broctl.cfg

Find the MailTo line and add your email address.

MailTo =

Step 5: Launch Bro

Bro is started using BroControl, which we will need to install.

sudo /nsm/bro/bin/broctl



Now you can start Bro.

sudo /nsm/bro/bin/broctl deploy

Next we will set Bro to run on startup by adding it to /etc/rc.local.

sudo nano /etc /rc.local

Add the following line, then close and save the file.

/nsm/bro/bin/broctl start

Next we will add a cron job.

crontab -e

Add the following to maintain Bro.

0-59/5 * * * * /nsm/bro/bin/broctl cron

Step 6: Testing Bro

To test Bro, we will view the conn.log file in real time using tail.

tail -f /nsm/bro/logs/current/conn.log

You will be able to see the output from Bro as it is printed to your terminal.

Want to contribute?

You could earn up to $600 by adding new articles.