Bro is an open source software for analyzing the network and monitoring the security.
The bro brings both OSSEC and OSQUERY's best features in a single package.
Bro can do both signature-based analysis and behavior based analysis.
The most of the time it does the behavior-based analysis. Here is the list of functions that Bro can do.
Detects the brute force attack both on SSH and FTP connections.
It monitors HTTP traffic.
If any changes have been made in the software, bro can detect it.
Detects the attempt of SQL injection.
It performs SSL/TLS verification.
Monitors the integrity of the file.
You can get the summary, activities and crash reports via email using bro.
Identifies the IP and showcase the City
It can operate in both stand-alone mode and distributed mode.
You can install Bro in two-way. Either it can be installed using package manager or it can be installed from a source.
Installing from source is recommended because it supports geolocation of identification of IP address.
Once you install the bro, it will make the broctl and bro command available on the server.
The bro can monitor two things.
- Analyzing trace files - Live traffic analysis
The broctl command can be used to manage the standalone or distributed installation of bro.
Ubuntu 16.04 server configured according to the initial server setup guide.
The server should have the minimum of 1 GB RAM.
Postfix has to be installed as send only mail transfer agent on the server. We need Postfix for the Bro to send the alert and report mail.
Installing the Dependencies
Before installing the bro, we need to install some additional dependencies which bro requires.
First, update the package manager. If you don't do that, you may end up in getting package manager error.
$ sudo apt-get update
Here is the list of dependencies which are required by bro.
- BIND 8
- C/C++ compiler
The Bro control needs Python 2.6 or later version since we are going to build the bro from the scratch.
$ sudo apt-get install bison cmake flex g++ gdb make libmagic-dev libpcap-dev libgeoip-dev libssl-dev python-dev swig2.0 zlib1g-dev
The next task is to download the database which bro is going to use for geolocation Identification.
We are going to download two files of GeoIP data. One will contain the IPv4 address and the other will contain IPv6 address.
After that we will move the downloaded file to /usr/share/GeoIP directory.
We are going to download the GeoIP data from the Maxmind.
Here is the command for downloading both IPv4 and IPv6 address.
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz $ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
When you decompress those files, you will get GeoLiteCity and GeoLiteCityv6 file.
$ gzip -d GeoLiteCity.dat.gz $ gzip -d GeoLiteCityv6.dat.gz
After that, move them into the directories using the below command.
$ sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat $ sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat
Now we have got GeoIP database, our next task will be installing the Bro.
Installing Bro (From Source)
You have to clone the Github repository to clone the Bro. Here, the Github repository is already in Ubuntu. So, you just need to clone them.
The cloned file will be put into a directory named bro.
$ git clone --recursive git://git.bro.org/bro
Now change to the Bro directory.
$ cd bro
After that, you have to run the bro configuration.
Then you have to use the make to build the program. This process will take a lot of time based on the hardware configuration.
it will consume the minimum of 20 minutes based on the server.
After the process, install the bro using the below command.
$ sudo make install
Here, the bro will be installed in /usr/local/bro directory.
After that, you need to set /usr/local/bro/bin in the path for the availability. We will do this using the file /etc/profile.d.
The file can be called as 3rd-party.sh.
Now, open the 3rd-party.sh using nano editor.
$ sudo nano /etc/profile.d/3rd-party.sh
You have to add the below line in your file. Here you are setting the /usr/local/bro/bin path to all the user in the system.
/etc/profile.d/3rd-party.sh # Expand PATH to include the path to Bro's binaries export PATH=$PATH:/usr/local/bro/bin
After that, save and close the file. Use the below command to make the changes work.
$ source /etc/profile.d/3rd-party.sh
Now, the bro has been installed and we have to make some changes in the configuration file.
We have to customize few files to ensure that the bro works properly.
All those files are located at /usr/local/bro/etc.
Here are the files that we are going to make changes.
Node.cfg: It is used to configure to monitor a specific node.
networks.cfg: It has a list of networks in the CIDR notation. All of them are local to the node.
broctl.cfg: The configuration file for the bro control for email, logging and some other settings.
We are going to make few changes in the each of the files.
Obviously, there is no need to check this file since we have installed this in a stand-alone mode.
But, Still, we have to check.
Open the configuration file using the nano editor.
$ sudo nano /usr/local/bro/etc/node.cfg
Check the interface in the file. It should be etho0 by default. It should match your Ubuntu 16.04 server's public interface.
If not, update it and make sure both are matching.
/usr/local/bro/etc/node.cfg [bro] type=standalone host=localhost interface=eth0
Then save and close the file. Then, we have to configure the private networks.
Configuring the Node's Private Networks
You have to configure the Private Networks for that open the networks.cfg file.
Here, you will configure IP network of the node.
First, open the file.
$ sudo nano /usr/local/bro/etc/networks.cfg
There will be default settings in the configuration file. Just delete them.
You can see three private IP block configured.
/usr/local/bro/etc/networks.cfg # List of local networks in CIDR notation, optionally followed by a # descriptive tag. # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes. 10.0.0.0/8 Private IP space 172.16.0.0/12 Private IP space 192.168.0.0/16 Private IP space
Find your network addresses and add them as mentioned below.
Example /usr/local/bro/etc/networks.cfg 223.3.963.0/24 Public IP space 22.214.171.124/24 Private IP space
Then, save and close the files.
Configuration of Mail and Logging Settings
Bro control has the responsibility to manage its email and loggings. Here, you don't need to change the default configurations.
All you need to do is just mention the target email address.
Just, Open the configuration file for editing.
$ sudo nano /usr/local/bro/etc/broctl.cfg
In that configuration file, you have to look for #Mail Options.
There you can see a parameter called MailTo.
This is where you have to specify the target mail id. After the change, the configuration file will look like below.
/usr/local/bro/etc/broctl.cfg . . . # Mail Options # Recipient address for all emails sent out by Bro and BroControl. MailTo = firstname.lastname@example.org . . .
Then save and close the file.
Manage the Bro with Bro Control
Brocontrol is used to install, start and stop the Bro. It performs other management tasks also.
It is a command line interface and also an interactive shell.
If you want to start the interactive shell, you have to invoke the broctl using sudo /usr/local/bro/bin/broctl.
Output Welcome to BroControl 1.5-21 Type "help" for help. [BroControl] >
If you want to exit the interactive shell, use the exit command.
You can run the Bro command in two ways. One is from the direct command line and another one is from the interactive shell.
Running the command from the command line is interface is more useful since it helps you to pipeline the output of broctl command to the standard linux command.
We have to invoke the broctl command for the rest of the steps.
To start the bro use the deploy bro command.
$ sudo /usr/local/bro/bin/broctl deploy
You have to run this command if you make any changes to the scripts and configuration files.
If the Bro is not running, you will get the following output. You will get it even though you have the MTA installed.
Output bro not running (was crashed) Error: error occurred while trying to send mail: send- mail: SENDMAIL-NOTFOUND not found starting ... starting bro ...
You can solve this issue by editing the Bro control configuration file located at /usr/local/bro/etc/broctl.cfg.
Add the line SendMail = /usr/sbin/sendmail at the end of the Mail Options.
. . .
Added for Sendmail
SendMail = /usr/sbin/sendmail
After that, redeploy the bro using the below command.
$ sudo /usr/local/bro/bin/broctl deploy.
You will get the following output.
Output Name Type Host Status Pid Started bro standalone localhost running 6807 12 Apr 05:42:50
The bro status can be made to running, crashed or stopped.
If you want to restart the bro, use the below command.
$ /usr/local/bro/bin/broctl restart
Here, i have to tell you one important thing. The bro restart and bro redploy are not the same command.
Our, next step is to create a cron job for Bro service.
Configuring Cron Job for Bro
Bro by default does not have systemd service descriptor file.
It comes with a cron script. That cron script can restart the Bro incase if it is crashed.
It will also check for necessary disk space and removes the log files.
Bro's cron command is out of the box and it can be enabled to trigger the script.
First, you have to add a cron package file in the /etc/cron.d. Open the file called nano editor.
$ sudo nano /etc/cron.d/bro
Here, the cron job will start running at every 5 minutes. If the found that the bro is crashed, then it will restart the bro.
Copy and paste the following line.
/etc/cron.d/bro */5 * * * * root /usr/local/bro/bin/broctl cron
The 5 is the time here. You can change it as per your choice.
After that, save and close the file.
Once the cron job is activated, you will receive a mail which says that the directory has been created for stats file at /usr/local/bro/logs/stats.
This will work only when your Bro is actually crashed. It won't work if you stop the Bro using Bro Control's stop.
If you want to test whether it is working properly, you have to reboot the server or you have to kill one of the Bro processes.
If you reboot the server, the Bro will take 5 minutes to run after the booting process completed.
If you want to follow the other method, instead of booting, you have to find one of the processes Bro's IDs.
$ ps aux | grep bro
Then kill that process.
$ sudo kill -9 process_id
After that, check the status
$ sudo /usr/local/bro/bin/broctl status
You will get the output which says it is crashed.
Output Name Type Host Status Pid Started bro standalone localhost crashed
When bro started working, you will also start getting emails every hour regarding the activities going on the interface.
If it crashes and restarts, you will receive an email notification that the system has restarted after crash.
Here, i am going to show you the utilities of Bro.
Bro, Bro-cut, and Bro policy scripts
bro and bro-cut are two of the components of the bro. You can monitor the live traffic and also analyze the trace files.
Bro-cut helps you to get custom details from the Bro-logs.
If you want to capture the live traffic with bro, just use the below command.
$ sudo /usr/local/bro/bin/bro -i eth0 file
You need to specify which interface it has to capture the traffic from.
Here the file.. refers to the policy scripts. The policy script defines what bro processes.
You don't need to specify any script or scripts. The command can be like this.
$ sudo /usr/local/bro/bin/bro -i eth0
/usr/local/bro/share/bro : the srcipt required for the bro to function are stored here.
/usr/local/bro/share/bro/site/ : It contains site-specific scripts.
/usr/local/bro/share/bro/site/local.bro : You can do customization on this scripts.
A single capture session in Bro creates many files in the working directory.
You can better invoke a bro capture command only to capture the session.
Here is the output which shows a long list of files created during the live traffic session.
Output total 152 -rw-r--r-- 1 root root 277 Apr 14 09:20 capture_loss.log -rw-r--r-- 1 root root 4711 Apr 14 09:20 conn.log -rw-r--r-- 1 root root 2614 Apr 14 04:49 dns.log -rw-r--r-- 1 root root 25168 Apr 14 09:20 loaded_scripts.log -rw-r--r-- 1 root root 253 Apr 14 09:20 packet_filter.log -rw-r--r-- 1 root root 686 Apr 14 09:20 reporter.log -rw-r--r-- 1 root root 708 Apr 14 04:49 ssh.log -rw-r--r-- 1 root root 793 Apr 14 09:20 stats.log -rw-r--r-- 1 root root 373 Apr 14 09:20 weird.log
You can use a capture command to capture the session. After some time, you can stop that using CTRL+C.
Also, you can read each of them using cat ssh.log | /usr/local/bro/bin/bro-cut -C -d command.
Here in this article, you have learned how to install bro in a stand-alone mode.
You also learned, How to install IPv4 and IPv6 GeoIP databases from Maxmind.
If you have any issues during the execution, let us know that in the comment section.