Bro IDS Install

These installs are on the latest CentOS6 as of October 2014.

First we have to install PF_RING to take advantage of the performance boost and to load balance bro processes.  Bro is not multithreaded.

Package Prerequisites:

sudo yum install subversion cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel git numactl numactl-devel svn java-1.7.0-openjdk httpd-tools

Install PF_RING

Please see this link for additional details: https://www.bro.org/documentation/load-balancing.html

Download the latest PF_RING:

svn export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ pfring-svn-latest

Compile and install

cd pfring-svn-latest/kernel
make && sudo make install
cd ../userland/lib
./configure –prefix=/opt/pfring && make && sudo make install
cd ../libpcap-1.1.1-ring
./configure –prefix=/opt/pfring && make && sudo make install
cd ../tcpdump-4.1.1
./configure –prefix=/opt/pfring && make && sudo make install

Load the pf_ring kernel module:

modprobe pf_ring enable_tx_capture=0 min_num_slots=32768

Add modprobe pf_ring enable_tx_capture=0 min_num_slots=32768 to /etc/rc.local to load the module on boot.

Disable SELinux

Set SELINUX=disabled in /etc/sysconfig/selinux.

Configure and install Bro using the following commands:

export LDFLAGS="-Wl,--no-as-needed -lrt"

export LIBS="-lrt -lnuma"

./configure --with-pcap=/opt/pfring --prefix=/opt/bro && make && make install

ldd /usr/local/bro/bin/bro | grep pcap
        libpcap.so.1 => /opt/pfring/lib/libpcap.so.1

This will install bro to /opt/bro.  All configs are in /opt/bro/etc.  Executables are in /opt/bro/bin.  Scripts are under /opt/bro/share.  Log files, however are under /var/opt/bro/logs/.  The current logs are under the current directory.  A cron job that we implement below will rotate the logs every hour to a directory named after the respective day.  These logs are gzipped and can be read with tools like zcat.


Add the following to /etc/sudoers so you can sudo broctl when you need to.

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/bro/bin

Edit /opt/bro/etc/node.cfg.  Change YOURIP to your IP address of eth0.

[worker-1]
type=worker
host=YOUR IP
interface=eth1
lb_method=pf_ring
lb_procs=16 ###This may vary depending on how many cpu cores you have and want to set. 
pin_cpus=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ###This may vary depending on the setting above.

[manager]
type=manager
host=YOUR IP

[proxy-1]
type=proxy
host=YOUR IP

Edit /opt/bro/etc/networks.cfg and add your home nets.

10.0.0.0/8          Private IP space
192.168.0.0/16      Private IP space

Run sudo broctl

Execute install, and then start.  If there are any errors run diag.

[BroControl] > install
removing old policies in /var/opt/bro/spool/installed-scripts-do-not-touch/site … done.
removing old policies in /var/opt/bro/spool/installed-scripts-do-not-touch/auto … done.
creating policy directories … done.
installing site policies … done.
generating cluster-layout.bro … done.
generating local-networks.bro … done.
generating broctl-config.bro … done.
updating nodes … done.

[BroControl] > start
starting manager …
starting proxy-1 …
starting worker-1-2 …
starting worker-1-1 …

[BroControl] > status
Name         Type    Host             Status    Pid    Peers  Started
manager      manager 192.168.217.69   running   2661   3      23 Sep 13:31:51
proxy-1      proxy   192.168.217.69   running   2824   3      23 Sep 13:31:54
worker-1-1   worker  192.168.217.69   running   2994   2      23 Sep 13:31:56
worker-1-2   worker  192.168.217.69   running   2995   2      23 Sep 13:31:56

[BroControl] >

Set bro to run on startup.
Add /opt/bro/bin/broctl start to /etc/rc.local.

Add a cron job to archive log files after one hour.  Add “0-59/5 * * * * /opt/bin/broctl cron” to /etc/crontab.

Install GNU Parallel

wget http://ftp.gnu.org/gnu/parallel/parallel-latest.tar.bz2

bzip2 –d parallel-latest.tar.bz2

tar –xvf parallel-*.tar

cd parallel-{tab}

./configure && make && make install