SBM Labs

Cyber Security Collaboration Project

Bro framework for network traffic analysis
17 Jan 2015

Let's review network traffic analysis tool Bro Network Security Monitor (https://www.bro.org/).

1. Bro installation.

Create test virtual machine and install Centos 6.6.

Download Bro binary package and install it. Bro (full) package version 2.3.2 was used in this article. It is additionaly include Broccoli component (client communications library) and BroControl.

# yum localinstall Bro-2.3.2-Linux-x86_64.rpm

2. Bro configuration.

Set run-time environment.

# export PATH=/opt/bro/bin:$PATH

Set network interface.

# vi /opt/bro/etc/node.cfg

Set local networks.

# vi /opt/bro/etc/networks.cfg

Set general settings (e-mail, path to scrits, logs, rotation period, etc)

# vi /opt/bro/etc/broctl.cfg

3. Start Bro.

Start Bro control.

# broctl

Install configuration.

[BroControl] > install

Start Bro.

[BroControl] > start

Exit Broctl.

[BroControl] > exit

4. Check Bro.

Install Curl.

# yum install curl

Connect any site.

# curl http://centos.org

Check Bro HTTP log.

# less /var/opt/bro/logs/current/http.log

We are going to review several use cases with Bro in the next article.

Bro Network Security Monitor use cases