Installing Bro IDS on Fedora 25

Introduction

Bro is an open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and help with troubleshooting.

Prerequisites

Before installing Bro, you’ll need to ensure that some dependencies are in place:

Required Dependencies

• Libpcap
• OpenSSL libraries
• BIND8 library
• Libz
• Bash (for BroControl)
• Python 2.6+ or greater (for BroControl)

The Sendmail is not required, but strongly recommended.

Step 1: Update the system

Before installing any packages it’s recommended to update the system packages. Run the command dnf --assumeyes update. This will download and install latest versions of the system packages. Package manager will automatically answer yes to prompts offered. It can take some time.

Step 2: Install dependencies

You’ll need to install required packages on your system. Run the following command:
dnf --assumeyes install libpcap openssl python zlib sendmail

Step 3: Install Bro IDS

Run command dnf install --assumeyes bro
This command will install bro into /bin directory. And now let’s configure it.

Step 4: Configure Bro IDS

Create folders: mkdir -p /var/log/bro and mkdir -p /var/spool

Configuring the node.cfg file

Since Fedora 2x interface naming was changed, so let’s find out current iface name:
ls /sys/class/net. Output should be similar to this one: ens3 lo, or this one: eth0 lo. In the first case we are interested in ens3 interface name, in the second one — eth0. Let’s assume that we have ens3.

Now, examine file /etc/bro/node.cfg. Run command less /etc/bro/node.cfg. At the line 11 there is network interface specification:
interface=eth0. If your iface name is eth0 — let file without changes and continue to the next step. Otherwise — change it with ens3. For that run this command: sed -i 's/eth0/ens3'. Option -i stands for changing the file in-place. s will substitute value enclosed between first and second slashes to the value between second and third one.

Configuring the broctl.cfg file

Add variables to the config file:
echo "LibDirInternal = /usr/lib/python2.7/site-packages/BroControl/" >> /etc/bro/broctl.cfg
echo "SpoolDir = /var/spool" >> /etc/bro/broctl.cfg
echo "LogDir = /var/log/bro" >> /etc/bro/broctl.cfg
echo "CfgDir = /etc/bro" >> /etc/bro/broctl.cfg

Step 5: Launch BroCtl

Now we can deploy our configured node and start logging:

Run command broctl deploy. You’ll see output like this:

cannot get list of local IP addresses
checking configurations ...
installing ...
removing old policies in /var/spool/installed-scripts-do-not-touch/site ...
removing old policies in /var/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping bro ...
starting ...
starting bro ...

If you didn’t get any errors — bro is deployed.

Step 5: Test your installation

Now let’s look at the logs: ls -la /var/log/bro.
Output should be similar to this one:

total 12
drwxr-xr-x 3 root root 4096 Jun 13 10:11 .
drwxr-xr-x 1 root root 4096 Jun 13 10:04 ..
drwxr-xr-x 2 root root 4096 Jun 13 10:11 2017-06-13
lrwxrwxrwx 1 root root   14 Jun 13 10:11 current -> /var/spool/bro

Run this command to tail logs: tail -f /var/log/bro/current/conn.log and query your ip from browser.
If everything was configured correctly, you’ll see log messages.

Enjoy!