Comparing RPM versions

I wanted to compare rpms installed on my system with the Scientific Linux/CentOS repository rpms and update any existing rpm if there is large version difference. This is not usually needed as yum will automatically update the packages to its latest version! But, I was interested in finding out how a 'newer version' is determined when 'rpm -U' or 'yum localupdate' is executed.

After some google searches, I came across rpmdev-vercmp tool. This python based tool is a part of rpmdevtools rpm package. This tool requires that you should know epoch, version and release information for each rpm you need to compare.

You can find out this information for any package using:

#rpm -qa --queryformat "'%{NAME}' '%{EPOCH}:%{VERSION}' '%{RELEASE}' '%{ARCH}'\n" |grep package_name

If you wish to know all the query tags, use the following command:
#rpm --querytags

This information extracted needs to be compared with latest rpms from linux repositories and rpmdev-vercmp tool comes in handy. Otherwise, you have to make string comparisons and there is a chance that you might miss a use-case in your code!! So, I decided to use rpmdev-vercmp utility without hesitation.

$ rpmdev-vercmp --help

rpmdev-vercmp <epoch1> <ver1> <release1> <epoch2> <ver2> <release2>
rpmdev-vercmp <EVR1> <EVR2>
rpmdev-vercmp # with no arguments, prompt

Exit status is 0 if the EVR's are equal, 11 if EVR1 is newer, and 12 if EVR2
is newer.  Other exit statuses indicate problems.

$ rpmdev-vercmp audit-2.2-2.el6.i686 audit-2.2-2.el6.i686
These are equal



Useful links:

1. http://www.faqssys.info/bash-script-to-verify-that-an-rpm-is-at-least-at-a-given-version/
2. http://utcc.utoronto.ca/~cks/space/blog/linux/RPMShellVersionComparison

Installation of BRO IDS on CentOS

I am using snort IDS for a long time and it generates a lot of useful alerts for malicious activities on my PC. Further, I have heard good things about BRO IDS and wanted to give a try. Bro offers a network analysis framework that is different from the typical IDS like snort.

Here are the steps for installation on CentOS 6.5 or higher linux machines:

1) # Install runtime dependencies.
# yum -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP gperftools-libs

2) # Install the build dependencies.
# yum -y install libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel gperftools-devel swig

You may also require these libraries and so, install them in advance especially if you are compiling Bro from source tar.gz:

#yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel #yum -y python-devel swig zlib-devel
# yum install jemalloc
# yum install jemalloc-devel
# yum install curl
# yum install libcurl-devel
# yum install GeoIP
# yum install GeoIP-devel
# yum install gperftools
# yum install ruby


3) Install  EPEL repository on the machine.

• EPEL 7: x86_64, ppc64, sources
• EPEL 6: i386, x86_64, ppc64, sources
• EPEL 5: i386, x86_64, ppc, sources 

4) Download and install rpm from Bro site- https://www.bro.org/download/index.html

Of course, if you wish, you can compile the Bro IDS from the source!!

By default, all Bro IDS related files are installed in /opt/bro.

5) Modify default path:
# export path /opt/bro/bin:$PATH

You can also add PATH=/opt/bro2/bin:$PATH to your ~/.profile file in your home directory to make the change permanent.

6) For basic configuration steps, please follow the documentation on the project page:

Using your favorite editor, please modify the following 3 files:
$ PREFIX  refers to the base of bro installation directory

•     $PREFIX/etc/node.cfg -> Configure the network interface to monitor (i.e. interface=eth0)

[admin@ids]$  cd /opt/bro

[admin@ids bro]$ cat etc/node.cfg
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
[bro]
type=standalone
host=localhost
interface=eth0

•     $PREFIX/etc/networks.cfg -> Configure the local networks (i.e. 10.0.0.0/8 Private IP space )

[admin@ids bro]$ cat etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

10.0.0.0/8          Private IP space
192.168.0.0/16      Private IP space

•     $PREFIX/etc/broctl.cfg -> Change the MailTo address and the log rotation

 The broctl.cfg file is where in recipient address for all emails send out by Bro and BroControl, and log rotation intervals among other features can be configured.

When you run bro for the first time, a warning may be reported. Please ignore.
# broctl
warning: cannot read '/var/bro/spool/broctl.dat' (this is ok on first run)

Welcome to BroControl 1.2

Type "help" for help.

[BroControl] >


# broctl
warning: cannot read '/var/bro/spool/broctl.dat' (this is ok on first run)

Welcome to BroControl 1.2

Type "help" for help.

[BroControl] >

 [root@ids bro]# broctl

Welcome to BroControl 1.3

Type "help" for help.

[BroControl] > help

BroControl Version 1.3

  capstats [<nodes>] [<secs>]      - Report interface statistics with capstats
  check [<nodes>]                  - Check configuration before installing it
  cleanup [--all] [<nodes>]        - Delete working dirs (flush state) on nodes
  config                           - Print broctl configuration
  cron [--no-watch]                - Perform jobs intended to run from cron
  cron enable|disable|?            - Enable/disable "cron" jobs
  df [<nodes>]                     - Print nodes' current disk usage
  diag [<nodes>]                   - Output diagnostics for nodes
  exec <shell cmd>                 - Execute shell command on all hosts
  exit                             - Exit shell
  install                          - Update broctl installation/configuration
  netstats [<nodes>]               - Print nodes' current packet counters
  nodes                            - Print node configuration
  peerstatus [<nodes>]             - Print status of nodes' remote connections
  print <id> [<nodes>]             - Print values of script variable at nodes
  process <trace> [<op>] [-- <sc>] - Run Bro (with options and scripts) on trace
  quit                             - Exit shell
  restart [--clean] [<nodes>]      - Stop and then restart processing
  scripts [-c] [<nodes>]           - List the Bro scripts the nodes will load
  start [<nodes>]                  - Start processing
  status [<nodes>]                 - Summarize node status
  stop [<nodes>]                   - Stop processing
  top [<nodes>]                    - Show Bro processes ala top
  update [<nodes>]                 - Update configuration of nodes on the fly
 
Commands provided by plugins:

  ps.bro [<nodes>]                 - Show Bro processes on nodes' systems


[BroControl] > cron enable
cron enabled
[BroControl] > install
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] >

[BroControl] > status
Name         Type       Host          Status    Pid    Peers  Started
bro          standalone localhost     stopped  
[BroControl] > start
starting bro ...
[BroControl] > status
Name         Type       Host          Status    Pid    Peers  Started
bro          standalone localhost     running   32206  0      04 Mar 12:21:47
[BroControl] >

 That's all!! Check the docs for more information.