bits & Bytes

October 21, 2008

Running/Testing bro 1.4 with clustershell

Filed under: security — aashish @ 11:10 am

Bro 1.4 has changed significantly from 1.3 release. This post is intended to get you up to the speed to run Bro 1.4

1) 1.4 has deprecated brolite and its scripts. Start/stop bro in 1.4 release has to be done via Bro cluster manager for which following needs to be done:

a) install cluster module(s) from Robin’s svn tree: 

cd bro-1.4/aux/ directory 

svn checkout http://svn.icir.org/bro/branches/robin/work/aux/cluster cluster
[ Note: clustershell is still under development so checking out source directly 
from the development tree can break things ]

b) Install cluster as standalone mode ( This link also contains quite detailed description on how to checkout code and install bro-cluster ) 

http://www.icir.org/robin/bro-cluster/README.html#Standalone 

Capturing data: 

1) Site specific configuration settings:  Located in ../etc/node.cfg and ../etc/network.cfg files. 

Capture Interface configuration is done in: etc/node.cfg  and looks like this:

[bro]
type=standalone
host=localhost
interface=bond0

Network address block(s) are to be configured in network.cfg file. 

Once you have configured node.cfg, network.cfg in ../etc/ folder, you need to run ” ../bin/cluster install” command to propagate changes. 

“cluster install” results in changes made to ../policy/<bro_version>/local/local.bro and ../policy/<bro_version>/local/local-networks.bro file. Both of these files are auto-generated by cluster install command. 

2) Multiple network interfaces on your bro system

Cluster mode won’t be able to read multiple interfaces. In order to read multiple interfaces you will need to bond your current TX and RX interfaces. The following commands may be useful *: 

modprobe bonding mode=0 miimon=100
ifconfig eth0 down    
ifconfig eth1 down    
ifconfig bond0 hw ether 00:11:22:33:44:55      
ifconfig bond0 10.1.1.10 up                    
ifenslave bond0 eth0    
ifenslave bond0 eth1    

3) Remember the vlan tags: So if you have vlan tags on the data frames of your network taps then make sure you load vlan.bro in ../policy/local/local.bro file. 

Log location: 

1.4 logs have moved to ../spool/<node-name>/ folder instead of ../logs folder. Version 1.4 onwards ../logs folder store archived logs.

Policy files: 

In version 1.4 all the policy files are now in policy folder. This is a transition from version 1.3 where site specific policy files where recommend to be stored in ../site folder. This release has eliminated site folder and all the site specific policy files are now stored in policy/<bro-version>/local/  folder.

Also, *all* the policies which need to be loaded are now specified in ../policy/<bro-version>/local/local.bro.

Porting current policy files to 1.4 

It is advisable to convert your local custom policy files to make them modules. That would compartmentalize your local policy files and its settings.

You may have to use module definitions along with the alerts. For example: HotEmailReciepient needs to be changed to SMTP::HotEmailReciepient in your notice action settings. 

Problems encountered once bro is running

1) Bro is crashing: 

run ../bin/cluster diag to see the specific error. 

2) Bro is consuming lots of CPU 

Try disabling some policy files. Ideal is to disable unnecessary policy files one at a time to determine the hog. 

With version 1.4+ you should be able change constants and ( possibly global variables ) by 

“../bin/cluster update” command

3) Configure email address to send alarms: 

In ../etc/cluster.cfg file change “MailTo” to your desired email address. 

MailTo = <email address>

 

* Reference: http://www.linuxhorizon.ro/bonding.html

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

You must be logged in to post a comment.

Powered by WordPress