Friday, August 9, 2013

Building and Running Bro

In this article I will introduce how to get Bro up and running on Debian based system as quickly as possible with the most features as possible. The rest of the articles will assume you followed this guide. You should know that the Bro website has a very useful quickstart guide of its own, but I've decided to write down the procedure I often use. If you have questions or want to learn more about the different ways to install Bro, you should visit their guide.

The first thing to do is to set a system up. You can use a VM or build a physical machine, it doesn't matter. We'll be grabbing the source code and compiling it to make sure we get all the latest features and frameworks.
Bro depends on some packages for compilation to succeed. You'll need to install these before you can build Bro. Run the following command to do so:

sudo apt-get install git cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev

Now, download the latest Bro source code via git by running

git clone --recursive git://git.bro-ids.org/bro

Make sure you include the recursive option or you won't grab everything you need to compile Bro. When the clone is finished you should see a 'bro/' directory sitting in your working directory. Change into that directory. The default directory Bro is installed to is /usr/local/bro (that's what I'll be using for this and other blog posts) but that can be changed with the '--prefix=/desired/path' option. Configure the installation by running:

./configure

Compile and install the Bro software by running:

make
make install

NOTE: you might need root privileges install Bro

You can add bro to your path as a convenience by altering your PATH environment variable and exporting it, but I usually don't bother. Once Bro is installed, run it by calling it with the i option and specifying an interface name to begin sniffing on.

/usr/local/bro/bin/bro -i eth0

If Bro starts successful you should get some output similar to "listening on eth0, capture length 8192 bytes". Terminate Bro the same way you would with any other long running terminal process (ctrl + c). Depending on the packets Bro saw on that interface you might have some new files in your working directory with a .log extension.

Congrats, you just installed and ran Bro!

No comments:

Post a Comment