This image contains Bro 2.4 with working BroCtl.
docker run -it --cap-add=NET_RAW broplatform/brolive bash
This repo will always contain the latest stable Bro release for training
To be used with the following project: 
Our training environment is designed to have users SSH into a host system which
runs and places them into a container based on the Brolive Docker image.
Then each user will have their own environment to play with Bro, including a mounted directory
of Bro exercises and PCAP files. This alleviates the burden of passing around, or downloading, and configuring VM's of Bro which in our experience takes too much time, being slow, and a few people always have a few issues that put them behind everyone else. We can enhance the experience at conference training events whereby attendees only need an SSH client by a container based platform for training.
To replicate our Bro Live! training system 3 things must be completed:
- ISLET must be installed  including dependencies
- This Docker image (broplatform/brolive) must be installed
- The host system running the Docker daemon (1.2.0+) must be configured to use it
Begin with a fresh Ubuntu machine. The following commands will install latest Docker, ISLET, and the BroLive Docker image.
apt-get install sqlite make
git clone https://github.com/jonschipp/islet && cd islet && make bro-training
Password: demo - Replace with your server's ip or domain name.
Conferences and training events typically span multiple days like in the case of BroCon.
Because of this it's desirable to keep the user's work in their container for the duration of the event. Our account management system allows them to re-attach to their container in an automated fashion. Once the conference ends, the container is automatically removed from the system.
- By nature, the containers are isolated environments, similar in nature to VM's.
- Containers and users are removed after a period of time (e.g. conference duration)
- System resources are limited per container to prevent selfishness and abuse
- Networking is disabled in each container, preventing network attacks against other hosts
- Each container is limited in size (possible when using devicemapper storage backend)
This page will be updated frequently in the next week in preparation for BroCon.
For configuring the host system please see the project's documentation:
The image has the following additional software installed over the base ubuntu docker image:
- Bro 2.4
- wget and gawk
- tmux and screen
- vim, emacs, and nano
- Shell helper functions for Bro e.g. bro-grep, bro-column, etc.
- Unprivileged user account named demo is used by student (via ISLET)
- Bro is installed in /opt/bro
- Students can use Bro in online and offline mode (-r, -i <int>)
- Students can use BroCtl (e.g. broctl install, broctl start)
- Linux capabilities are used so the demo user is able to sniff (NET_RAW)
To start Bro via BroCtl the student must be instructed to edit /opt/bro/etc/node.cfg and to replace the interface with the name of the one that’s available in the container. If networking is disabled in the container (default) then they should choose the loopback interface.