Using FreeBSD 12 RELEASE disc1
https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.0/

Once the system is up, install the packages below.

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/12.0-RELEASE/src.txz
# tar -C / -xzvf src.txz

# portsnap fetch && portsnap extract

# pkg update -f && pkg upgrade && pkg install -y open-vm-tools sudo vim htop py27-pip git netmap lua51 gmake gzip bro

Additional system tuning. Follow steps in the link below.
https://calomel.org/freebsd_network_tuning.html

Add the following to /etc/rc.conf for VMWare and the sniffer NIC and reboot.

vmware_guest_vmblock_enable="YES"
vmware_guest_vmhgfs_enable="NO"
vmware_guest_vmmemctl_enable="YES"
vmware_guest_vmxnet_enable="YES"
vmware_guestd_enable="YES"
/sbin/ifconfig em1 -rxcsum -rxcsum6 -txcsum -txcsum6 -tso -tso4 -tso6 -lro -vlanhwcsum -vlanhwtso promisc up

Bro config files are in /usr/local/etc
Executables are in /usr/local/bin
Logs by default are in /usr/local/logs
Mod /usr/local/etc/broctrl.cfg and networks.cfg to your liking

Configure the workers in /usr/local/etc/node.cfg

[logger]
type=logger
host=localhost
#
[manager]
type=manager
host=localhost
#
[proxy-1]
type=proxy
host=localhost
#
[worker-1]
type=worker
host=localhost
interface=netmap:em1
lb_method=custom
lb_procs=8

Run a broctl check and then a broctl install.

# broctl check
Warning: state database needs updating (run the broctl "deploy" command)
logger scripts are ok.
manager scripts are ok.
proxy-1 scripts are ok.
worker-1-1 scripts are ok.
worker-1-2 scripts are ok.
worker-1-3 scripts are ok.
worker-1-4 scripts are ok.

# broctl install
removing old policies in /usr/local/spool/installed-scripts-do-not-touch/site …
removing old policies in /usr/local/spool/installed-scripts-do-not-touch/auto …
creating policy directories …
installing site policies …
generating cluster-layout.bro …
generating local-networks.bro …
generating broctl-config.bro …
generating broctl-config.sh

Add entries to crontab, enable bro cron, and set startup in /etc/rc.conf

# crontab -e
*/5 * * * * /usr/local/bin/broctl cron
# broctl cron enable
/etc/rc.conf
bro_enable="YES"

Reboot and install bro-pkg and install a few.

# pip install bro-pkg
# bro-pkg autoconfigure
# bro-pkg install dns-tunnels file-extraction add-node-names intel-extensions intel-seen-more bro-doctor ja3 domain-tld

# echo "@load packages" >> /usr/local/share/bro/site/local.bro

# broctl deploy
Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *