The first thing to do is to set a system up. You can use a VM or build a physical machine, it doesn't matter. We'll be grabbing the source code and compiling it to make sure we get all the latest features and frameworks.
Bro depends on some packages for compilation to succeed. You'll need to install these before you can build Bro. Run the following command to do so:
sudo apt-get install git cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
Now, download the latest Bro source code via git by running
git clone --recursive git://git.bro-ids.org/bro
Make sure you include the recursive option or you won't grab everything you need to compile Bro. When the clone is finished you should see a 'bro/' directory sitting in your working directory. Change into that directory. The default directory Bro is installed to is /usr/local/bro (that's what I'll be using for this and other blog posts) but that can be changed with the '--prefix=/desired/path' option. Configure the installation by running:
Compile and install the Bro software by running:
NOTE: you might need root privileges install Bro
You can add bro to your path as a convenience by altering your PATH environment variable and exporting it, but I usually don't bother. Once Bro is installed, run it by calling it with the i option and specifying an interface name to begin sniffing on.
/usr/local/bro/bin/bro -i eth0
If Bro starts successful you should get some output similar to "listening on eth0, capture length 8192 bytes". Terminate Bro the same way you would with any other long running terminal process (ctrl + c). Depending on the packets Bro saw on that interface you might have some new files in your working directory with a .log extension.
Congrats, you just installed and ran Bro!