Lead Image © Aleksey Mnogosmyslov, 123RF.com

Lead Image © Aleksey Mnogosmyslov, 123RF.com

Network analysis with the Bro Network Security Monitor

Got Your Back

Article from ADMIN 24/2014
The Bro network analysis framework provides network security monitoring as well as more general network traffic analysis.

The Bro Network Security Monitor (Bro) is a network-based analysis framework. Bro's powerful analysis engine makes it adept at high-performance network monitoring, protocol analysis, and real-time application layer state information. This makes Bro a very good intrusion detection system (IDS) and network analysis framework. For this reason, analysis around IDS is one of the most popular uses for Bro.

What are some examples of analysis around IDS? Often, investigations concerning intrusions are not just about the identification of the event, which can often be accomplished with signatures, but about identification of the details of events to help information security professionals zone in on specific problems and solutions. Because logs can be compromised during an event, logging outside a compromised system is important. For example, while DHCP services are being compromised, protocol-level analysis can be key to understanding the event.

Bro was originally developed in 1994 by Vern Paxson and was named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four . Unix history buffs and computer science majors may recognize Paxson as the original author of flex, the fast lexical analyzer. In this article, I cover the architecture, installation, and use of Bro. Finally, I look at a DHCP compromise example.

Bro Architecture

Bro, like many network tools with a Unix or Linux heritage, uses the libpcap package as part of its architecture. With libpcap support, Bro can run on various networks; the typical Bro architecture is shown in Figure 1.

Figure 1: Bro network architecture.

Besides the portability gained by using libpcap, Bro can also be a passive network tool, which means it can act as a network tap or use a monitoring port on a switch without itself being a node with an assigned IP address on the monitored network. For the purposes of this article, I will not cover the specifics of the network tap; however, the basic step for carrying out the Bro configuration is to point Bro at the network interface that is being used for the network tap.

Once Bro receives an IP packet, its application architecture comes into play. Bro's event engine is responsible for accepting packets and converting them to events. The events are then forwarded to the policy script interpreter, which then creates outputs. Bro's application architecture can be represented as shown in Figure 2. Bro's outputs are further classified as actions, alerts, and logs, which I review shortly.

Figure 2: Bro application architecture.


Like most Linux solutions, Bro doesn't recreate the wheel for all of its functionality. It uses several pre-existing libraries. The capability to collect and parse Ethernet and IP traffic comes from libpcap [1]. Bro controls it with BroControl, which requires Bash and Python, as well as the BIND 8 and libz libraries. The latest dependencies and high-level instructions for Bro can be referenced at the Bro website [2].

The installation instructions I cover here are based on a CentOS 6.5 Linux distribution. (Note: At the time of publication, CentOS 7 still has a missing dependency for the Python libraries.) The latest Bro packages are included in source and binary form [3]. On CentOS, I download the Bro full install with:

# wget https://www.bro.org/downloads/release/Bro-2.3.1-Linux-x86_64.rpm

Next, I install the Bro RPM package with:

# rpm -ivh Bro-2.3.1-Linux-x86_64.rpm

After the installation completes, Bro can be found in the /opt/bro/ directory, which contains the bin, etc, include, lib, and share subdirectories. To fire up Bro immediately, I use broctl:

# /opt/bro/bin/broctl
warning: cannot read '/var/opt/bro/spool/broctl.dat' \
  (this is ok on first run)
Welcome to BroControl 1.3
Type "help" for help.
[BroControl] >

As the message states, I can ignore the "cannot read" warning message during the first run.

Installing the Policy

At this point, I can install the standard Bro policies by executing the install command at the BroControl prompt:

[BroControl] > install
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.

Now that a policy has been installed, the next step is to tell BroControl to start up a Bro instance with the start command:

[BroControl] > start
starting bro ...
[BroControl] >

Whenever Bro starts up, it starts its daemon to listen to all the traffic defined in its /opt/bro/etc/node.cfg file. This is eth0 by default. If I were setting up a host on another interface, then I would edit node.cfg to point to the appropriate interface.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=