Installing Bro Network Security Monitor

This is the first of a two part series. In part two I’ll be demonstrating how to use Bro as well as use cases.

Installation:

This installation was done on Debian. Use the appropriate package manager for your Linux distribution to install the following packages.

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

sudo apt-get install libgeoip-dev

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz

sudo mv /home/<username>/GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

wget https://www.bro.org/downloads/release/bro-2.4.1.tar.gz

tar zxvf bro-2.4.1.tar.gz

cd bro-2.4.1

sudo ./configure –prefix=/opt/bro2

make

make install

export PATH=/opt/bro2/bin:$PATH

nano ~/.profile
    PATH=/opt/bro2/bin:$PATH

  • In /opt/bro2/etc/node.cfg, set the right interface to monitor.
  • In /opt/bro2/etc/networks.cfg, comment out the default settings and add the networks that Bro will consider local to the monitored environment.
  • In /opt/bro2/etc/broctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.

broctl

install

start

stop

Usage:

bro -C -r pcap.pcap

Stay tuned for more Bro goodness!