Official Power Up Hosting Blog

Everything about Linux, Windows, and hosting ;)

Selvakumar
Author

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Share


Our Newsletter


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tags


Twitter


Official Power Up Hosting Blog

How to Install Bro on Ubuntu 16.04 (Network Monitoring)

SelvakumarSelvakumar

Introduction

Bro is an open source software for analyzing the network and monitoring the security.

The bro brings both OSSEC and OSQUERY's best features in a single package.

Bro can do both signature-based analysis and behavior based analysis.

The most of the time it does the behavior-based analysis. Here is the list of functions that Bro can do.

  • Detects the brute force attack both on SSH and FTP connections.

  • It monitors HTTP traffic.

  • If any changes have been made in the software, bro can detect it.

  • Detects the attempt of SQL injection.

  • It performs SSL/TLS verification.

  • Monitors the integrity of the file.

  • You can get the summary, activities and crash reports via email using bro.

  • Identifies the IP and showcase the City

  • It can operate in both stand-alone mode and distributed mode.

You can install Bro in two-way. Either it can be installed using package manager or it can be installed from a source.

Installing from source is recommended because it supports geolocation of identification of IP address.

Once you install the bro, it will make the broctl and bro command available on the server.

The bro can monitor two things.

- Analyzing trace files
- Live traffic analysis

The broctl command can be used to manage the standalone or distributed installation of bro.

Prerequisites

  • Ubuntu 16.04 server configured according to the initial server setup guide.

  • The server should have the minimum of 1 GB RAM.

  • Postfix has to be installed as send only mail transfer agent on the server. We need Postfix for the Bro to send the alert and report mail.

Installing the Dependencies

Before installing the bro, we need to install some additional dependencies which bro requires.

First, update the package manager. If you don't do that, you may end up in getting package manager error.

$ sudo apt-get update

Here is the list of dependencies which are required by bro.

  • Libpcap
  • OpenSSL
  • BIND 8
  • CMake
  • SWIG
  • Bison
  • C/C++ compiler

The Bro control needs Python 2.6 or later version since we are going to build the bro from the scratch.

$ sudo apt-get install bison cmake flex g++ gdb make libmagic-dev libpcap-dev libgeoip-dev libssl-dev python-dev swig2.0 zlib1g-dev

The next task is to download the database which bro is going to use for geolocation Identification.

GeoIP Database

We are going to download two files of GeoIP data. One will contain the IPv4 address and the other will contain IPv6 address.

After that we will move the downloaded file to /usr/share/GeoIP directory.

We are going to download the GeoIP data from the Maxmind.

Here is the command for downloading both IPv4 and IPv6 address.

$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

When you decompress those files, you will get GeoLiteCity and GeoLiteCityv6 file.

$ gzip -d GeoLiteCity.dat.gz
$ gzip -d GeoLiteCityv6.dat.gz

After that, move them into the directories using the below command.

$ sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
$ sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat

Now we have got GeoIP database, our next task will be installing the Bro.

Installing Bro (From Source)

You have to clone the Github repository to clone the Bro. Here, the Github repository is already in Ubuntu. So, you just need to clone them.

The cloned file will be put into a directory named bro.

$ git clone --recursive git://git.bro.org/bro

Now change to the Bro directory.

$ cd bro

After that, you have to run the bro configuration.

$ ./configure

Then you have to use the make to build the program. This process will take a lot of time based on the hardware configuration.

it will consume the minimum of 20 minutes based on the server.

$ make

After the process, install the bro using the below command.

$ sudo make install

Here, the bro will be installed in /usr/local/bro directory.

After that, you need to set /usr/local/bro/bin in the path for the availability. We will do this using the file /etc/profile.d.

The file can be called as 3rd-party.sh.

Now, open the 3rd-party.sh using nano editor.

$ sudo nano /etc/profile.d/3rd-party.sh

You have to add the below line in your file. Here you are setting the /usr/local/bro/bin path to all the user in the system.

        /etc/profile.d/3rd-party.sh
# Expand PATH to include the path to Bro's binaries

export PATH=$PATH:/usr/local/bro/bin

After that, save and close the file. Use the below command to make the changes work.

$ source /etc/profile.d/3rd-party.sh

Now, the bro has been installed and we have to make some changes in the configuration file.

Configuring Bro

We have to customize few files to ensure that the bro works properly.

All those files are located at /usr/local/bro/etc.

Here are the files that we are going to make changes.

  • Node.cfg: It is used to configure to monitor a specific node.

  • networks.cfg: It has a list of networks in the CIDR notation. All of them are local to the node.

  • broctl.cfg: The configuration file for the bro control for email, logging and some other settings.

We are going to make few changes in the each of the files.

Configuring Node.cfg

Obviously, there is no need to check this file since we have installed this in a stand-alone mode.

But, Still, we have to check.

Open the configuration file using the nano editor.

$ sudo nano /usr/local/bro/etc/node.cfg

Check the interface in the file. It should be etho0 by default. It should match your Ubuntu 16.04 server's public interface.

If not, update it and make sure both are matching.

/usr/local/bro/etc/node.cfg
[bro]
type=standalone
host=localhost
interface=eth0

Then save and close the file. Then, we have to configure the private networks.

Configuring the Node's Private Networks

You have to configure the Private Networks for that open the networks.cfg file.

Here, you will configure IP network of the node.

First, open the file.

$ sudo nano /usr/local/bro/etc/networks.cfg

There will be default settings in the configuration file. Just delete them.

You can see three private IP block configured.

/usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally 
followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

10.0.0.0/8          Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/16      Private IP space

Find your network addresses and add them as mentioned below.

       Example /usr/local/bro/etc/networks.cfg
223.3.963.0/24          Public IP space
198.61.82.0/24         Private IP space

Then, save and close the files.

Configuration of Mail and Logging Settings

Bro control has the responsibility to manage its email and loggings. Here, you don't need to change the default configurations.

All you need to do is just mention the target email address.

Just, Open the configuration file for editing.

$ sudo nano /usr/local/bro/etc/broctl.cfg

In that configuration file, you have to look for #Mail Options.

There you can see a parameter called MailTo.

This is where you have to specify the target mail id. After the change, the configuration file will look like below.

         /usr/local/bro/etc/broctl.cfg
. . .
# Mail Options

# Recipient address for all emails sent out by Bro and 
BroControl.
MailTo = selva@mydomain.com
. . .

Then save and close the file.

Manage the Bro with Bro Control

Brocontrol is used to install, start and stop the Bro. It performs other management tasks also.

It is a command line interface and also an interactive shell.

If you want to start the interactive shell, you have to invoke the broctl using sudo /usr/local/bro/bin/broctl.

Output
Welcome to BroControl 1.5-21

Type "help" for help.

[BroControl] >

If you want to exit the interactive shell, use the exit command.

You can run the Bro command in two ways. One is from the direct command line and another one is from the interactive shell.

Running the command from the command line is interface is more useful since it helps you to pipeline the output of broctl command to the standard linux command.

We have to invoke the broctl command for the rest of the steps.

To start the bro use the deploy bro command.

$ sudo /usr/local/bro/bin/broctl deploy

You have to run this command if you make any changes to the scripts and configuration files.

If the Bro is not running, you will get the following output. You will get it even though you have the MTA installed.

Output
bro not running (was crashed)
Error: error occurred while trying to send mail: send-
mail: SENDMAIL-NOTFOUND not found
starting ...
starting bro ...

You can solve this issue by editing the Bro control configuration file located at /usr/local/bro/etc/broctl.cfg.

Add the line SendMail = /usr/sbin/sendmail at the end of the Mail Options.

/usr/local/bro/etc/broctl.cfg
. . .

Added for Sendmail

SendMail = /usr/sbin/sendmail

###############################################

Logging Options

..............

After that, redeploy the bro using the below command.

$ sudo /usr/local/bro/bin/broctl deploy.

You will get the following output.

Output
Name         Type       Host          Status    Pid    Started
bro          standalone localhost     running   6807   12 Apr 05:42:50

The bro status can be made to running, crashed or stopped.

If you want to restart the bro, use the below command.

$  /usr/local/bro/bin/broctl restart

Here, i have to tell you one important thing. The bro restart and bro redploy are not the same command.

Our, next step is to create a cron job for Bro service.

Configuring Cron Job for Bro

Bro by default does not have systemd service descriptor file.

But:

It comes with a cron script. That cron script can restart the Bro incase if it is crashed.

It will also check for necessary disk space and removes the log files.

Bro's cron command is out of the box and it can be enabled to trigger the script.

First, you have to add a cron package file in the /etc/cron.d. Open the file called nano editor.

$ sudo nano /etc/cron.d/bro

Here, the cron job will start running at every 5 minutes. If the found that the bro is crashed, then it will restart the bro.

Copy and paste the following line.

          /etc/cron.d/bro
*/5 * * * * root /usr/local/bro/bin/broctl cron

The 5 is the time here. You can change it as per your choice.

After that, save and close the file.

Once the cron job is activated, you will receive a mail which says that the directory has been created for stats file at /usr/local/bro/logs/stats.

This will work only when your Bro is actually crashed. It won't work if you stop the Bro using Bro Control's stop.

If you want to test whether it is working properly, you have to reboot the server or you have to kill one of the Bro processes.

If you reboot the server, the Bro will take 5 minutes to run after the booting process completed.

If you want to follow the other method, instead of booting, you have to find one of the processes Bro's IDs.

$ ps aux | grep bro

Then kill that process.

$ sudo kill -9 process_id

After that, check the status

$ sudo /usr/local/bro/bin/broctl status

You will get the output which says it is crashed.

Output
Name         Type       Host          Status    Pid    
Started
bro          standalone localhost     crashed 

When bro started working, you will also start getting emails every hour regarding the activities going on the interface.

If it crashes and restarts, you will receive an email notification that the system has restarted after crash.

Here, i am going to show you the utilities of Bro.

Bro, Bro-cut, and Bro policy scripts

bro and bro-cut are two of the components of the bro. You can monitor the live traffic and also analyze the trace files.

Bro-cut helps you to get custom details from the Bro-logs.

If you want to capture the live traffic with bro, just use the below command.

$ sudo /usr/local/bro/bin/bro -i eth0 file

You need to specify which interface it has to capture the traffic from.

Here the file.. refers to the policy scripts. The policy script defines what bro processes.

You don't need to specify any script or scripts. The command can be like this.

$ sudo /usr/local/bro/bin/bro -i eth0

/usr/local/bro/share/bro : the srcipt required for the bro to function are stored here.

/usr/local/bro/share/bro/site/ : It contains site-specific scripts.

/usr/local/bro/share/bro/site/local.bro : You can do customization on this scripts.

A single capture session in Bro creates many files in the working directory.

You can better invoke a bro capture command only to capture the session.

Here is the output which shows a long list of files created during the live traffic session.

Output
total 152
-rw-r--r-- 1 root root   277 Apr 14 09:20 capture_loss.log
-rw-r--r-- 1 root root  4711 Apr 14 09:20 conn.log
-rw-r--r-- 1 root root  2614 Apr 14 04:49 dns.log
-rw-r--r-- 1 root root 25168 Apr 14 09:20 loaded_scripts.log
-rw-r--r-- 1 root root   253 Apr 14 09:20 packet_filter.log
-rw-r--r-- 1 root root   686 Apr 14 09:20 reporter.log
-rw-r--r-- 1 root root   708 Apr 14 04:49 ssh.log
-rw-r--r-- 1 root root   793 Apr 14 09:20 stats.log
-rw-r--r-- 1 root root   373 Apr 14 09:20 weird.log

You can use a capture command to capture the session. After some time, you can stop that using CTRL+C.

Also, you can read each of them using cat ssh.log | /usr/local/bro/bin/bro-cut -C -d command.

Conclusion

Here in this article, you have learned how to install bro in a stand-alone mode.

You also learned, How to install IPv4 and IPv6 GeoIP databases from Maxmind.

If you have any issues during the execution, let us know that in the comment section.

Selvakumar
Author

Selvakumar

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Comments