Bro is an amazing network traffic analysis system. Unfortunately, it is not that popular in information security unlike Snort and frankly, I don't know why!!!
I wanted to install Bro with PF_ring to load balance the traffic on 10G link. Although, the Bro manual details the steps, there are some missing links that took some of my time during installation. So, here are my notes:
Enable/Install EPEL repository
========================
#wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6.8.noarch.rpm
#rpm -ivh epel-release-6.8.noarch.rpm
Upgrade cmake
==============
# Cmake rpm available as a part of CentOS 6/Scientific Linux 6 repository is old. - cmake-2.6.4-5.el6.x86_64
Bro requires that cmake version should be at least 2.8.1 or more - e.g. cmake-2.8.11.2-1.el6.x86_64
This rpm is available as a part of EPEL repository.
Remove existing cmake (ver- 2.6.4)
#yum remove cmake
Install cmake-2.8
#yum install cmake28
Now, make some symbolic links:
#ln -s /usr/bin/cmake28 /usr/bin/cmake
#ln -s /usr/bin/ccmake28 /usr/bin/ccmake
#ln -s /usr/bin/cpack28 /usr/bin/cpack
#ln -s /usr/bin/ctest28 /usr/bin/ctest
Note:
Don't blindly install cmake28 version from EPEL repository like:
#yum install cmake28
This rpm is just a wrapper and has a dependency on cmake26.
So, you should install cmake28-2.8.11.2-1.el6.x86_64 pacakge and not cmake28-2.8.12.2-2.el6.x86_64
ipsumdump installation
======================
#wget http://www.read.seas.harvard.edu/~kohler/ipsumdump
#tar -zxvf ipsumdump-1.85.tar.gz
#cd ipsumdump-1.85
#./configure
#make && make install
#install Bro IDS dependent packages from linux repository.
===================================
#yum install kernel-devel kernel-headers -y
#yum install make autoconf automake gcc gcc-c++ flex bison libpcap libpcap-devel -y
#yum install openssl openssl-devel python-devel swig zlib zlib-devel -y
#yum install openssl-libs bind-libs -y
#yum install gawk -y
#yum install pcre-devel -y
#yum install libtool -y
#yum install numactl numactl-devel -y
#yum install gperftools-libs gperftools-devel -y
#yum install GeoIP GeoIP-devel -y
#yum install jemalloc jemalloc-devel -y
#yum install curl -y
#yum install libcurl-devel -y
Set LD flags for python 2.7.10 compilation:
#export LDFLAGS=-L/usr/local/lib
#export CFLAGS=-I/usr/local/include
#export CPPFLAGS=-I/usr/local/include
#export LD_LIBRARY_PATH=/usr/local/lib
Python-2.7.10 installation
==========================
CentOS comes with python2.6 by default. Bro requires python2.7 at least for Broccoli component.
Please do not try to remove existing python version as it will remove many python dependent packages e.g. yum requires python2.6 that comes default with SL/CentOS distribution.
So, install python 2.7.x in addition to existing python 2.6.6
#wget http://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz
#tar -zxvf Python-2.7.10.tgz
#cd Python-2.7.10
#./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
#make
#make altinstall
#ln -s /usr/local/bin/python2.7 /usr/bin/python2.7
Add python to system path
#export PATH=$PATH:/usr/local/bin/python2.7
If you face any compilation issue,please follow some good blog links that lists python2.7.10 installation instructions:
Now, it is the time to install python package manager - pip so that you can install python packages:
Download file - get-pip.py from https://bootstrap.pypa.io/get-pip.py
# wget get-pip.py from https://bootstrap.pypa.io/get-pip.py
#python2.7 get-pip.py
If you are having a local PyPI repository,then
#python2.7 get-pip.py --trusted-host=pypi-local-domain-hostname -i http://local-pypi-repo-url
Now pip will be installed under /usr/local/bin/pip2.7
Create a symbolic link:
#ln -s /usr/local/bin/pip2.7 /usr/bin/pip2.7
In addition to this, you may be required to install(copy) sqlite3 python bindings on python2.7:
It is presumed that python(python2.6.10) has been installed as a part of default installation.
#cp /usr/lib64/python2.6/lib-dynload/_sqlite3.so /usr/local/lib/python2.7/sqlite3/
Now, install pysubnettree python package:
#pip2.7 install pysubnettree
On local PyPI:
#pip2.7 install pysubnettree --trusted-host=pypi-local-domain-hostname -i http://local-pypi-repo-url
# Download, install and configure PF_RING
=========================================
Download pf_ring source from http://www.ntop.org/get-started/download/#PF_RING
Now, compile/install various libraries required for PF_RING:
#cd /usr/src
#tar -zxvf PF_RING-6.0.3.tar.gz
#cd PF_RING-6.0.3/userland/lib
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../libpcap
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../tcpdump-4.1.1
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../../kernel
(During kernel 'make' installation step, compile(make) it as normal user rather than as a root.)
#make
#make install
Note - Please make sure that your kernel-devel, kernel-headers and kernel rpms have same major/minor versions. If not, you will encounter error in make step.
e.g.
# rpm -qa |grep -i kernel
kernel-headers-2.6.32-431.1.2.el6.x86_64
kernel-devel-2.6.32-431.1.2.el6.x86_64
kernel-2.6.32-431.1.2.el6.x86_64
Find out kernel version and try to install corresponding kernel-devel rpm from CentOS/RHEL repository. Do not try to install kernel-devel blindly as there may be a version mismatch between
kernel-devel and kernel rpms. If not taken care, it will be give you installation headaches!!
Add pf_ring module at start up:
#modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
or
#insmod pf_ring.so enable tx_capture=0 transparent_mode=0 min_num_slots=32768
# Download, install and configure Bro
====================================
Download Bro from bro site - http://www.bro.org/download/index.html
cd bro-2.4.1
./configure --with-pcap=/opt/pfring --enable-debug --enable-perftools --enable-jemalloc
make && make install
To check status of PF_ring
=========================
# modinfo pf_ring
# cat /proc/net/pf_ring/info
# lsmod |grep -i pf_ring
If you wish to blacklist pf_ring module:
echo "blacklist pf_ring" >> /etc/modprobe.d/blacklist.conf
Once this is done, please follow Bro cluster setup instructions given at :
https://www.bro.org/sphinx/configuration/index.html
Some interesting links for Bro PF_ring installation
I wanted to install Bro with PF_ring to load balance the traffic on 10G link. Although, the Bro manual details the steps, there are some missing links that took some of my time during installation. So, here are my notes:
Enable/Install EPEL repository
========================
#wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6.8.noarch.rpm
#rpm -ivh epel-release-6.8.noarch.rpm
Upgrade cmake
==============
# Cmake rpm available as a part of CentOS 6/Scientific Linux 6 repository is old. - cmake-2.6.4-5.el6.x86_64
Bro requires that cmake version should be at least 2.8.1 or more - e.g. cmake-2.8.11.2-1.el6.x86_64
This rpm is available as a part of EPEL repository.
Remove existing cmake (ver- 2.6.4)
#yum remove cmake
Install cmake-2.8
#yum install cmake28
Now, make some symbolic links:
#ln -s /usr/bin/cmake28 /usr/bin/cmake
#ln -s /usr/bin/ccmake28 /usr/bin/ccmake
#ln -s /usr/bin/cpack28 /usr/bin/cpack
#ln -s /usr/bin/ctest28 /usr/bin/ctest
Note:
Don't blindly install cmake28 version from EPEL repository like:
#yum install cmake28
This rpm is just a wrapper and has a dependency on cmake26.
So, you should install cmake28-2.8.11.2-1.el6.x86_64 pacakge and not cmake28-2.8.12.2-2.el6.x86_64
ipsumdump installation
======================
#wget http://www.read.seas.harvard.edu/~kohler/ipsumdump
#tar -zxvf ipsumdump-1.85.tar.gz
#cd ipsumdump-1.85
#./configure
#make && make install
#install Bro IDS dependent packages from linux repository.
===================================
#yum install kernel-devel kernel-headers -y
#yum install make autoconf automake gcc gcc-c++ flex bison libpcap libpcap-devel -y
#yum install openssl openssl-devel python-devel swig zlib zlib-devel -y
#yum install openssl-libs bind-libs -y
#yum install gawk -y
#yum install pcre-devel -y
#yum install libtool -y
#yum install numactl numactl-devel -y
#yum install gperftools-libs gperftools-devel -y
#yum install GeoIP GeoIP-devel -y
#yum install jemalloc jemalloc-devel -y
#yum install curl -y
#yum install libcurl-devel -y
Set LD flags for python 2.7.10 compilation:
#export LDFLAGS=-L/usr/local/lib
#export CFLAGS=-I/usr/local/include
#export CPPFLAGS=-I/usr/local/include
#export LD_LIBRARY_PATH=/usr/local/lib
Python-2.7.10 installation
==========================
CentOS comes with python2.6 by default. Bro requires python2.7 at least for Broccoli component.
Please do not try to remove existing python version as it will remove many python dependent packages e.g. yum requires python2.6 that comes default with SL/CentOS distribution.
So, install python 2.7.x in addition to existing python 2.6.6
#wget http://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz
#tar -zxvf Python-2.7.10.tgz
#cd Python-2.7.10
#./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
#make
#make altinstall
#ln -s /usr/local/bin/python2.7 /usr/bin/python2.7
Add python to system path
#export PATH=$PATH:/usr/local/bin/python2.7
If you face any compilation issue,please follow some good blog links that lists python2.7.10 installation instructions:
- http://toomuchdata.com/2014/02/16/how-to-install-python-on-centos/
- https://github.com/h2oai/h2o-2/wiki/Installing-python-2.7-on-centos-6.3.-Follow-this-sequence-exactly-for-centos-machine-only
Now, it is the time to install python package manager - pip so that you can install python packages:
Download file - get-pip.py from https://bootstrap.pypa.io/get-pip.py
# wget get-pip.py from https://bootstrap.pypa.io/get-pip.py
#python2.7 get-pip.py
If you are having a local PyPI repository,then
#python2.7 get-pip.py --trusted-host=pypi-local-domain-hostname -i http://local-pypi-repo-url
Now pip will be installed under /usr/local/bin/pip2.7
Create a symbolic link:
#ln -s /usr/local/bin/pip2.7 /usr/bin/pip2.7
In addition to this, you may be required to install(copy) sqlite3 python bindings on python2.7:
It is presumed that python(python2.6.10) has been installed as a part of default installation.
#cp /usr/lib64/python2.6/lib-dynload/_sqlite3.so /usr/local/lib/python2.7/sqlite3/
Now, install pysubnettree python package:
#pip2.7 install pysubnettree
On local PyPI:
#pip2.7 install pysubnettree --trusted-host=pypi-local-domain-hostname -i http://local-pypi-repo-url
# Download, install and configure PF_RING
=========================================
Download pf_ring source from http://www.ntop.org/get-started/download/#PF_RING
Now, compile/install various libraries required for PF_RING:
#cd /usr/src
#tar -zxvf PF_RING-6.0.3.tar.gz
#cd PF_RING-6.0.3/userland/lib
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../libpcap
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../tcpdump-4.1.1
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../../kernel
(During kernel 'make' installation step, compile(make) it as normal user rather than as a root.)
#make
#make install
Note - Please make sure that your kernel-devel, kernel-headers and kernel rpms have same major/minor versions. If not, you will encounter error in make step.
e.g.
# rpm -qa |grep -i kernel
kernel-headers-2.6.32-431.1.2.el6.x86_64
kernel-devel-2.6.32-431.1.2.el6.x86_64
kernel-2.6.32-431.1.2.el6.x86_64
Find out kernel version and try to install corresponding kernel-devel rpm from CentOS/RHEL repository. Do not try to install kernel-devel blindly as there may be a version mismatch between
kernel-devel and kernel rpms. If not taken care, it will be give you installation headaches!!
Add pf_ring module at start up:
#modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
or
#insmod pf_ring.so enable tx_capture=0 transparent_mode=0 min_num_slots=32768
# Download, install and configure Bro
====================================
Download Bro from bro site - http://www.bro.org/download/index.html
cd bro-2.4.1
./configure --with-pcap=/opt/pfring --enable-debug --enable-perftools --enable-jemalloc
make && make install
To check status of PF_ring
=========================
# modinfo pf_ring
# cat /proc/net/pf_ring/info
# lsmod |grep -i pf_ring
If you wish to blacklist pf_ring module:
echo "blacklist pf_ring" >> /etc/modprobe.d/blacklist.conf
Once this is done, please follow Bro cluster setup instructions given at :
https://www.bro.org/sphinx/configuration/index.html
Some interesting links for Bro PF_ring installation
- http://ossectools.blogspot.in/2012/10/multi-node-bro-cluster-setup-howto.html
- https://thecomputersecurityblog.wordpress.com/2015/03/17/install-bro-on-centos-7-x6-x/
- http://mailman.icsi.berkeley.edu/pipermail/bro/2013-November/006269.html
- http://sickbits.net/configuring-a-network-monitoring-system-sensor-w-pf_ring-on-ubuntu-server-1-04-part-1-interface-configuration/
- https://sathisharthars.wordpress.com/2014/05/07/installing-and-configuring-bro-nids-in-centos-6/
- https://github.com/h2oai/h2o-2/wiki/Installing-python-2.7-on-centos-6.3.-Follow-this-sequence-exactly-for-centos-machine-only
No comments:
Post a Comment