A try of Bro on an ESXi ubuntu virtual machine (2 NICs) with GeoIP and PF_RING dependencies.


A powerful network analysis framework Originally written by Vern Paxson (Professor of Computer Science at Berkeley), It works with scripts and has support for clustering for high throughput environments. It is actually a very powerful complement to Snort.


For our test we need to add a masquerade in iptables between the 2 NICs to make NAT. To do this you need to be logged in root (sudo su).


Tell the kernel that you want to allow IP forwarding.


$ echo 1 > /proc/sys/net/ipv4/ip_forward

Iptables commands


$ /sbin/iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
$ /sbin/iptables -A FORWARD -i ens192 -o ens160 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ /sbin/iptables -A FORWARD -i ens160 -o ens192 -j ACCEPT

Add these two lines to allow  ssh


$ /sbin/iptables -A INPUT -i ens192 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ /sbin/iptables -A OUTPUT -o ens192 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Install the ubuntu package iptables-persistent to keep rules after reboot


$ apt-get install iptables-persistent

If you make any changes to the rules, run the following commands so you don’t lose them during a system reboot.


$ netfilter-persistent save
$ netfilter-persistent reload

Last step, edit the /etc/sysctl.conf file


# Uncomment the next line to enable packet forwarding for IPv4

To show masquerade rule in iptable you can use the command


$ iptables -L -v -n | more

Bro required Dependencies


$ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev checkinstall lnav


Optional Dependencies


$ sudo apt-get install sendmail libgeoip-dev curl libgoogle-perftools-dev

Information: For the install I suggest you to create a bro_install folder and put every download inside.


GeoIPLite Database Installation


For the full install documention, it’s here GeoIP


$ wget https://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz
$ sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat
$ wget https://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
$ gunzip GeoLiteCityv6.dat.gz
$ sudo mv GeoLiteCityv6.dat /usr/share/GeoIP/GeoIPCityv6.dat



$ git clone https://github.com/ntop/PF_RING.git
$ cd PF_RING/userland/lib
$ ./configure --prefix=/opt/pfring 
$ make
$ sudo checkinstall


 Done. The new package has been installed and saved to


 You can remove it from your system anytime using:

      dpkg -r lib


$ cd ../libpcap
$ ./configure --prefix=/opt/pfring
$ make
$ sudo checkinstall


 Done. The new package has been installed and saved to


 You can remove it from your system anytime using:

      dpkg -r libpcap


$ cd ../tcpdump
$ ./configure --prefix=/opt/pfring
$ make
$ sudo checkinstall


 Done. The new package has been installed and saved to


 You can remove it from your system anytime using:

      dpkg -r tcpdump


$ cd ../../kernel
$ ./configure --prefix=/opt/pfring
$ make
$ sudo checkinstall

Enter a number to change any of them or press ENTER to continue: 3
Enter new version:
>> 6.5.0


 Done. The new package has been installed and saved to


 You can remove it from your system anytime using:

      dpkg -r kernel


$ sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=32768



full install documentation


$ cd ~/bro_install
$ git clone --recursive git://git.bro.org/bro
$ cd bro
$ ./configure --with-pcap=/opt/pfring
$ make
$ sudo checkinstall


 Done. The new package has been installed and saved to


 You can remove it from your system anytime using:

      dpkg -r bro


Configure the environment variable


Edit the /etc/environment file to add the value /usr/local/bro to the path. do the same thing in ~/.profile file.


Warning! This will not work for sudo command.


$ sudo vim /etc/environment


$ vim ~/.profile


export also like this (or reboot to take effect)


$ export PATH=$PATH:/usr/local/bro/bin

Testing GeoIPLite


Check if the GeoIP functionality works by running this command



$ bro -e "print lookup_location(;"

Configure PF_RING


Print shared library dependencies to see if correctly linked to pf_ring-aware libpcap


$ ldd /usr/local/bro/bin/bro | grep pcap
        libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fa371e33000)
Show information about the Linux Kernel module pf_ring to see if present


$ modinfo pf_ring

filename: /lib/modules/4.4.0-62-generic/kernel/net/pf_ring/pf_ring.ko
alias: net-pf-27
version: 6.5.0
description: Packet capture acceleration and analysis
author: ntop.org
license: GPL
srcversion: 414F094C8FD5E8D55A89517
vermagic: 4.4.0-62-generic SMP mod_unload modversions
parm: min_num_slots:Min number of ring slots (uint)
parm: perfect_rules_hash_size:Perfect rules hash size (uint)
parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
parm: force_ring_lock:Set to 1 to force ring locking (automatically enable with rss) (uint)
parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog, 2 for more verbosity (uint)
parm: transparent_mode:(deprecated) (uint)

Edit the file node.cfg in /usr/local/bro/etc/ with







An interactive shell for easily operating/managing installations. Warning! BroControl work only in standalone mode, for this part you can comment the pf_ring part of node.cfg


Basic configuration


Go in /usr/local/bro/etc/ directory. Set the right interface to monitor (node.cfg). Comment out the default settings, add the networks that Bro will consider local to the monitored environment (networks.cfg). Change the email address and the LogRotationInterval if needed (broctl.cfg).


Start the BroControl (perform an initial installation for the first time)


$ broctl

[BroControl] > install
[BroControl] > start

To stop this instance use the stop command and exit to close the instance.


Log files


The logs are stored in /usr/local/bro/logs/ directory. current contain the live logs (suggest to open a new ssh connection to the server to take a look to the different files) and the history are in the other directories.


Monitoring Live Traffic


Edit /usr/local/bro/share/bro/site/local.bro and made change/add value to look like this:


##! Local site policy. Customize as appropriate.
##! This file will not be overwritten when upgrading or reinstalling!

# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts

# Apply the default tuning scripts for common tuning settings.
@load tuning/defaults

# Estimate and log capture loss.
@load misc/capture-loss

# Enable logging of memory, packet and lag statistics.
@load misc/stats

# Load the scan detection script.
@load misc/scan

# Detect traceroute being run on the network. This could possibly cause
# performance trouble when there are a lot of traceroutes on your network.
# Enable cautiously.
#@load misc/detect-traceroute

# Generate notices when vulnerable versions of software are discovered.
# The default is to only monitor software found in the address space defined
# as "local". Refer to the software framework's documentation for more
# information.
@load frameworks/software/vulnerable

# Detect software changing (e.g. attacker installing hacked SSHD).
@load frameworks/software/version-changes

# This adds signatures to detect cleartext forward and reverse windows shells.
@load-sigs frameworks/signatures/detect-windows-shells

# log the version of Windows.
@load frameworks/software/windows-version-detection

# Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/ssh/geo-data
@load protocols/http/software
@load protocols/http/software-browser-plugins
@load protocols/mysql/software
# The detect-webapps script could possibly cause performance trouble when
# running on live traffic. Enable it cautiously.
@load protocols/http/detect-webapps

# This script detects DNS results pointing toward your Site::local_nets
# where the name is not part of your local DNS zone and is being hosted
# externally. Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names

# Script to detect various activity in FTP sessions.
@load protocols/ftp/detect

# Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs

# This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs

# This script prevents the logging of SSL CA certificates in x509.log
@load protocols/ssl/log-hostcerts-only

# Uncomment the following line to check each SSL certificate hash against the ICSI
# certificate notary service; see https://notary.icsi.berkeley.edu .
# @load protocols/ssl/notary

# If you have libGeoIP support built in, do some geographic detections and
# logging for SSH traffic.
@load protocols/ssh/geo-data
# Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing
# Detect logins using "interesting" hostnames.
@load protocols/ssh/interesting-hostnames

# Detect SQL injection attacks.
@load protocols/http/detect-sqli

#### Network File Handling ####

# Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files

# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR

# Uncomment the following line to enable detection of the heartbleed attack. Enabling
# this might impact performance a bit.
# @load policy/protocols/ssl/heartbleed

# Uncomment the following line to enable logging of connection VLANs. Enabling
# this adds two VLAN fields to the conn.log file.
# @load policy/protocols/conn/vlan-logging

# Uncomment the following line to enable logging of link-layer addresses. Enabling
# this adds the link-layer address for each connection endpoint to the conn.log file.
@load policy/protocols/conn/mac-logging

# Uncomment the following line to enable the SMB analyzer. The analyzer
# is currently considered a preview and therefore not loaded by default.
# @load policy/protocols/smb

# Finds connections with protocols on non-standard ports with DPD.
@load frameworks/dpd/detect-protocols

# Logs in JSON by default.
@load tuning/json-logs


Analyzing live traffic from an interface (basic with json answer):


$ bro -i ens160 /usr/local/bro/share/bro/site/local.bro "Site::local_nets += { }"

Warning! all log files will be created in the directory where you launch the command.


Launch at startup (as systemd service)


It’s time to create a systemd service and control it with systemctl management tools. Create systemd service file at /lib/systemd/system/bro.service with the following contents:


Description=Bro: a powerful network analysis framework
After=syslog.target network.target

ExecStart=/usr/local/bro/bin/bro -i ens160 /usr/local/bro/share/bro/site/local.bro "Site::local_nets += { }"


We use the WorkingDirectory variable to specify the /usr/local/bro/logs/ current for our log files


Create a symbolic link and enable the service with systemctl

$ sudo ln -s /lib/systemd/system/bro.service /etc/systemd/system/multi-user.target.wants/bro.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable bro.service

Start and Check the status


$ sudo service bro start
$ sudo service bro status

See you next time to realize a monitoring application of our live log datas in Angular, NodeJS and socket.io


Published by naxeladre

Follower of computing and technology evolution since November 29, 1972 (pong release)

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published.