This is part two of a four part series on getting started with the Bro IDS. See part one on installing the Bro prerequisites. This post is about installing and preparing Bro.

Bro Compilation and Installation

Now that the prerequisites are taken care of, it is time to compile and install Bro. I downloaded Bro 2.5 IDS from bro.org and extracted it. After entering the directory, I ran

Below is the output from my ./configure command. It is okay to see failures on some of the lines since some items might not be needed for your system.  If you followed this guide, you should see successful messages for GeoIP, gperftools, and PF_RING as highlighted in the output below. (Note, I skipped installing GeoIP so my message will show false below.)

Not that the configuration is complete, it’s time to compile and install. Compiling and installing both will take some time.

PF_Ring Bro Plugin Compilation and Installation

Now that Bro is compiled and installed, it’s time to compile and install a few Bro plugins. The PF_Ring plugin allows Bro to natively talk to PF_RING. Another plugin takes care of permission issues that may come up when a non-root user attempts to access the NIC.

Download the Bro plugins directory. See https://github.com/bro/bro-plugins/tree/master/pf_ring for reference. Compile and run the plugin by running

Stdout of ./configure command is as follows:

If the plugin install directory (as shown in the ./configure output) is incorrect, use –help flag to see options to configure it appropriately.

If you run into an error while running make, it may be due to an issue finding the right files in Bro. You may need to recompile the IDS (but don’t need to reinstall) then try again.

To verify the plugin installed correctly, navigate to the bro directory (/opt/bro in this case) and run:

And you should see something like:

Bro::PF_RING – Packet acquisition via PF_RING (dynamic, version 1.0)

Broctl-setcap Plugin

It’s a good idea to run Bro as a separate user instead of an admin or root account. I suggest creating a user. You will then need to adjust file permissions to give him read/write/execute privileges to the directory Bro is installed in, in this case /opt/bro.

Whatever user that runs Bro needs elevated privileges to read directly off of the NIC. The Setcap plugin allows you to run Bro as a non-root user. More details about the reasoning behind the plugin can be found on an email at http://mailman.icsi.berkeley.edu/pipermail/bro/2017-February/011489.html
Or if you want, to go to https://github.com/PingTrip/broctl-setcap and follow the instructions there.

This completes part two of a four part series installing and configuring the Bro IDS.