Monday, 21 January 2013

NSM With Bro-IDS Part 2: The Install

With the router setup in my last post, this post will cover setting up a virtual machine that monitors the span port from the router and installing bro from source.

Configuring the VM -- VirtualBox

For the bro virtual machine there were two changes I wanted to make to how I've configured my virtual machines up until now. For this installation I wanted to use the amd64 release of Ubuntu Server 12.04 LTS. In my specific virtual environment there is absolutely no benefit to using amd64 over x86, it's purely for the fun of it, but in a production environment it might make a lot of sense to have a 64-bit virtual machine. Additionally I wanted to use a second drive for the bro install. This would let me still setup a "template" 64-bit installation with fairly minimal disk usage and then add basic storage for the bro install that I can expand as necessary.

As with other times I created a "base" virtual machine that I then cloned. The actual VirtualBox virtual machine configuration looks like (note the virtual machine names - with my virtual environment growing I decided to rename most of the virtual machines to reflect their usage):

Configuring the VM -- Operating System

As I've noted, I chose Ubuntu Server 12.04 LTS for the operating system. The primary hard disk had 4 GB partitioned for swap and I devoted the rest to the root ("/") partition:

Since I planned to clone the virtual machine, this one doesn't have the additional 8 GB "bro" drive. 

The Guest VM -- Updates and Data Drive

With the OS installed, I updated it with

sudo apt-get update && sudo apt-get upgrade

Then I installed the openssh-server package:

sudo apt-get install openssh-server

To ease administration I logged out from the VirtualBox interface and used SSH to connect from my MacBook host.

I then connected via SSH and added the data drive (the screenshots are more useful from an SSH session than from the VirtualBox interface). First I used fdisk to partition it with one large primary partition:

Then I used "mkfs.ext3" and "mount" to create the new filesystem and mount it as "/usr/local/bro":

With the appropriate addition to "/etc/fstab", the new partition will get mounted automatically at boot:

The Guest OS -- Bro installation

I want to go ahead and say that this entire section is based on documentation at the project website at They have some really fantastic documentation and I relied on it heavily. I am NOT going to try to reproduce that, I am merely stating the exact process I followed. If you want to make ANY changes to the install process (even if you don't want to make changes!) you should read the documentation at the project site.

Even though I installed bro from a source tarball, first I needed to install several Ubuntu libraries. This was accomplished with:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev \
libssl-dev python-dev swig zlib1g-dev libmagic-dev \
libgoogle-perftools-dev libgeoip-dev

This installs a LOT of dependencies:

The source tarball for the 2.1 release can be downloaded via wget and extracted with tar:

tar zxf bro-2.1.tar.gz

This creates a "bro-2.1" directory. From here it is very standard Unix software installation. Change directory to the bro-2.1 directory and run:

sudo make install

Note that the output of "make" and "make install" can be pretty substantial:

I'll cover a basic bro configuration in my next post but there was one more step I needed to take before I considered the general installation completed: the bro control program, broctl, is not in the sudo path on Ubuntu Server by default. To add /usr/local/bro/bin to the sudo path you have to edit the sudoers file; the appropriate way to do that is with "sudo visudo". It opens a standard nano session and the only modification that needs to be made is to the secure_path line: add ":/usr/local/bro/bin" to the end of the line and save the file/exit.

With the addition to sudoers saved, you should be able to verify a successful installation with "sudo broctl". You should see something very similar to:

If you do not, I would go back through the "make" and "make install" components to see why something failed to build or install properly. You can try running broctl with its full path:

sudo /usr/local/bro/bin/broctl

If you are mounting a separate partition at /usr/local/bro, and you have had to reboot since doing "make install", you should verify that the partition is actually mounted and that it was mounted when you did the "make install".

Otherwise, keep an eye out for part 3. It will cover a very basic bro configuration, basically just enough to verify you are monitoring traffic, and will allow you to ascertain that you are able to extract relevant information from bro.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Enriching Logs With Active Directory Attributes

Date of writing: 4th November 2018 Last edit: 4th November 2018 JUST GIVE ME THE SCRIPT AND CONFIG If all you need are the logstash co...