Part 1: Install/Setup Bro Cluster

In this blog series I am going to show you how to setup an effective Bro cluster. In future posts I hope to be tweaking Bro to produce better detection with custom rules and utilizing open threat intelligence feeds. Bro is the perfect solution for a homegrown IDS solution because it’s free and can be distributed. In my home network I have a DNS server and proxy server that I wish to monitor with Bro. Bro allows me to setup agents(workers) to monitor my DNS and proxy servers and forward data to a Bro manager for analysis.

Bro components and terminology

  • Bro notices – The Bro framework does not have a notion of alerts or good and bad. Bro leaves the discretion of alerts or “bad traffic” to the discretion of the user. Bro creates notices based on certain traffic whether it be bad traffic or anomalies in the network traffic.
  • Bro manager – Bro process that manages and updates Bro workers
  • Bro logger -Bro process that ingests logs from Bro workers.
  • Bro proxy – Bro proxy synchronizes variables and states across multiple Bro workers.
  • Bro worker – Bro process that sniffs network traffic and performs analysis on the traffic.

Bro cluster architecture

Install/Setup Bro cluster

Generate ssh keys on Bro manager

  1. ssh-keygen -b 4096 -t rsa -q -N “”
    1. Create an SSH key with no passphrase
  2. scp /home/bro/.ssh/ [email protected]<IP addr of worker>:/root

Install/Setup Bro on Centos 7 as manager

Install/Setup Bro on Centos 7 as manager

  1. yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel -y
  2. cd /opt
  3. git clone –recursive git://
  4. cd bro/
  5. ./configure && make && make install
  6. export PATH=/usr/local/bro/bin:$PATH
  7. echo “export PATH=/usr/local/bro/bin:$PATH” >> /etc/profile

Install/Setup Bro on Centos 7 as worker

Install/Setup Bro on Centos 7 as worker

  1. mkdir .ssh
  2. touch .ssh/authorized_keys
  3. chmod 600 .ssh/authorized_keys
  4. cat >> .ssh/authorized_keys
  5. yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel -y
  6. cd /opt
  7. git clone –recursive git://
  8. cd bro/
  9. ./configure && make && make install
  10. export PATH=/usr/local/bro/bin:$PATH
  11. echo “export PATH=/usr/local/bro/bin:$PATH” >> /etc/profile
  12. firewall-cmd –permanent –add-port=47760/tcp
  13. firewall-cmd –reload
  14. broctl install
  15. broctl start

Setup/configure Bro manager

  1. sed -i ‘8,11  s/^/#/’ /usr/local/bro/etc/node.cfg
    1. Comment outlines that make Bro a standalone worker
  2.  sed -i ‘20,30 s/^##*//’ /usr/local/bro/etc/node.cfg
    1. Uncomment lines to make Bro a manager
  3. vim /usr/local/bro/etc/node.cfg
    1. Set “host=<IP addr of Bro manager>” for [logger]
    2. Set “host=<IP addr of Bro manager>” for [manager]
    3. Set “host=<IP addr of Bro manager>” for [proxy-1]
    4. uncomment “[worker-x]” section
    5. Set “type=worker”
    6. Set “host=<IP addr of Bro worker-X>”
    7. Set “interface=<Interface of worker>”
    8. save, exit
  4. broctl install
  5. brotctl check
  6. broctl cron enable
  7. broctl start
  8. broctl deploy

Broctl commands

Status bro worker

  1. broctl status [worker-x]

Restart bro worker

  1. broctl restart [worker-x]



Leave a Reply

Your email address will not be published.