These installs are on the latest CentOS6 as of October 2014.
First we have to install PF_RING to take advantage of the performance boost and to load balance bro processes. Bro is not multithreaded.
Package Prerequisites:
sudo yum install subversion cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel git numactl numactl-devel svn java-1.7.0-openjdk httpd-tools
Install PF_RING
Please see this link for additional details: https://www.bro.org/documentation/load-balancing.html
Download the latest PF_RING:
svn export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ pfring-svn-latest
Compile and install
cd pfring-svn-latest/kernel
make && sudo make install
cd ../userland/lib
./configure –prefix=/opt/pfring && make && sudo make install
cd ../libpcap-1.1.1-ring
./configure –prefix=/opt/pfring && make && sudo make install
cd ../tcpdump-4.1.1
./configure –prefix=/opt/pfring && make && sudo make install
Load the pf_ring kernel module:
modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
Add modprobe pf_ring enable_tx_capture=0 min_num_slots=32768 to /etc/rc.local to load the module on boot.
Disable SELinux
Set SELINUX=disabled in /etc/sysconfig/selinux.
Configure and install Bro using the following commands:
export LDFLAGS="-Wl,--no-as-needed -lrt" export LIBS="-lrt -lnuma"
./configure --with-pcap=/opt/pfring --prefix=/opt/bro && make && make install
ldd /usr/local/bro/bin/bro | grep pcap libpcap.so.1 => /opt/pfring/lib/libpcap.so.1
This will install bro to /opt/bro. All configs are in /opt/bro/etc. Executables are in /opt/bro/bin. Scripts are under /opt/bro/share. Log files, however are under /var/opt/bro/logs/. The current logs are under the current directory. A cron job that we implement below will rotate the logs every hour to a directory named after the respective day. These logs are gzipped and can be read with tools like zcat. Add the following to /etc/sudoers so you can sudo broctl when you need to. Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/bro/bin Edit /opt/bro/etc/node.cfg. Change YOURIP to your IP address of eth0. [worker-1] type=worker host=YOUR IP interface=eth1 lb_method=pf_ring lb_procs=16 ###This may vary depending on how many cpu cores you have and want to set. pin_cpus=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ###This may vary depending on the setting above. [manager] type=manager host=YOUR IP [proxy-1] type=proxy host=YOUR IP
Edit /opt/bro/etc/networks.cfg and add your home nets.
10.0.0.0/8 Private IP space 192.168.0.0/16 Private IP space
Run sudo broctl
Execute install, and then start. If there are any errors run diag.
[BroControl] > install
removing old policies in /var/opt/bro/spool/installed-scripts-do-not-touch/site … done.
removing old policies in /var/opt/bro/spool/installed-scripts-do-not-touch/auto … done.
creating policy directories … done.
installing site policies … done.
generating cluster-layout.bro … done.
generating local-networks.bro … done.
generating broctl-config.bro … done.
updating nodes … done.
[BroControl] > start
starting manager …
starting proxy-1 …
starting worker-1-2 …
starting worker-1-1 …
[BroControl] > status
Name Type Host Status Pid Peers Started
manager manager 192.168.217.69 running 2661 3 23 Sep 13:31:51
proxy-1 proxy 192.168.217.69 running 2824 3 23 Sep 13:31:54
worker-1-1 worker 192.168.217.69 running 2994 2 23 Sep 13:31:56
worker-1-2 worker 192.168.217.69 running 2995 2 23 Sep 13:31:56
[BroControl] >
Set bro to run on startup.
Add /opt/bro/bin/broctl start to /etc/rc.local.
Add a cron job to archive log files after one hour. Add “0-59/5 * * * * /opt/bin/broctl cron” to /etc/crontab.
Install GNU Parallel
wget http://ftp.gnu.org/gnu/parallel/parallel-latest.tar.bz2
bzip2 –d parallel-latest.tar.bz2
tar –xvf parallel-*.tar
cd parallel-{tab}
./configure && make && make install
0 Comments