Install Bro on CentOS 7.X/6.X

Required Dependencies

Bro requires following dependancies to work properly

  • Libpcap   (Package name=libpcap-devel)
  • OpenSSL libraries (openssl-devel)
  • BIND8 library (already installed in centos)
  • Libz (already install in centos)
  • Bash (for BroControl)
  • Python (for BroControl) (python-devel)

To build Bro from source following addition dependancies are required

Let us install all of above dependancies first

sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel perl

Optional Dependencies

Following are the optional dependancies, bro can make use of them if they are availble at build time

  • LibGeoIP (for geolocating IP addresses)
  • sendmail (enables Bro and BroControl to send mail)
  • gawk (enables all features of bro-cut)
  • curl (used by a Bro script that implements active HTTP)
  • gperftools (tcmalloc is used to improve memory and CPU usage)
  • ipsumdump (for trace-summary; http://www.cs.ucla.edu/~kohler/ipsumdump)
  • Ruby executable, library, and headers (for Broccoli Ruby bindings)

LibgeoIP

During the process of creating policy scripts the need may arise to find the geographic location for an IP address. Bro has support for the GeoIP library at the policy script level beginning with release 1.3 to account for this need. To use this functionality, you need to first install the libGeoIP software, and then install the GeoLite city database before building Bro.

Libgeoip allows bro to

sudo yum install GeoIP-devel

A country database for GeoIPLite is included when you do the C API install, but for Bro, we are using the city database which includes cities and regions in addition to countries.

Download the GeoLite city binary database.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#unzip the database
gunzip GeoLiteCity.dat.gz

move data base to required diretory

 sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

Install gawk

GNU implementation of famous awk utility

sudo yum install gawk

Install gperftools(google performance tools)

Gperftools is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools

sudo yum install gperftools

Ipsumdump

The ipsumdump program reads IP packets from one or more data sources, then summarizes those packets into a line-based ASCII file. The resulting summary dump is easy to process with text-based tools

#Download the latest version from here 
wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar.gz
cd ipsumdump-1.85
./configure --prefix=/usr/
make 
sudo make install

Install Bro

Download the latest version from here

wget https://www.bro.org/downloads/release/bro-2.3.2.tar.gz
tar -xvf bro-2.3.2
./configure
make
sudo make install

by default bro will be install to /usr/local/bro/bin

Modifiy you PATH environment variable to include bro binaries

export PATH=/usr/local/bro/bin:$PATH

To make changes permanent add above line to ~/.bashrc file

Advertisements

One thought on “Install Bro on CentOS 7.X/6.X

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s