-
-
Save pnigos/7e3888ffcb646ae991633b69afce1a69 to your computer and use it in GitHub Desktop.
Bro-IDS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ---------------------- | |
| NIC settings | |
| ---------------------- | |
| #turn off rx checksumming | |
| ethtool -K eth1 rx off | |
| # off tx checksumming | |
| ethtool -K eth1 tx off | |
| #turn off scatter-gather | |
| ethtool -K eth1 sg off | |
| #turn off tcp-segmentation-offload | |
| ethtool -K eth1 tso off | |
| #turn off generic-segmentation-offload | |
| ethtool -K eth1 gso off | |
| #turn off udp-fragmentation offload | |
| ethtool -K eth1 ufo off | |
| #turn off generic-receive-offload | |
| ethtool -K eth1 gro off | |
| # turn off large-receive-offload | |
| ethtool -K eth1 lro off | |
| # set the interface to 1000Mbps, full duplex | |
| ethtool -s eth1 speed 1000 duplex full | |
| # set MTU | |
| ifconfig eth1 mtu 1514 | |
| ifconfig eth1 up | |
| ----------------------------------------------- | |
| ifconfig - place eth1 in promiscous mode | |
| Rehat/CentOS - /etc/sysconfig/network-scripts/ifcfg-eth1 | |
| ------------------------------------------------ | |
| DEVICE=eth1 | |
| ONBOOT=yes | |
| TYPE=Ethernet | |
| BOOTPROTO=none | |
| NM_CONTROLLED=no | |
| IPV6_AUTOCONF=no | |
| # for CentOS 7 or later: ip link set ethX promisc on | |
| PROMISC=yes | |
| #IPADDR=10.0.0.2 | |
| #PREFIX=24 | |
| #GATEWAY=10.0.0.1 | |
| #DNS=10.0.0.1 | |
| ------------------------------- | |
| Add 'ifup-local' script in /sbin | |
| This scripts runs automatically once the ethernet 'eth1' interface is up. | |
| More details - http://xmodulo.com/how-to-run-startup-script-automatically-after-network-interface-is-up-on-centos.html | |
| ------------------------------- | |
| #!/bin/bash | |
| # File: /sbin/ifup-local | |
| # | |
| # This script is run after normal sysconfig network-script configuration | |
| # is performed on RHEL/CentOS-based systems. | |
| # | |
| # Parameters: | |
| # $1: network interface name | |
| # | |
| # Post ifup configuration for tuning capture interfaces | |
| # This is compatible with the ixgbe driver, YMMV | |
| # Change this to something like /tmp/ifup-local.log for troubleshooting | |
| #LOG=/dev/null | |
| LOG=/tmp/ifup-local.log | |
| case $1 in | |
| eth1) | |
| for i in rx tx sg tso ufo gso gro lro rxvlan txvlan | |
| do | |
| /usr/sbin/ethtool -K $1 $i off &>$LOG | |
| done | |
| /usr/sbin/ethtool -N $1 rx-flow-hash udp4 sdfn &>$LOG | |
| /usr/sbin/ethtool -N $1 rx-flow-hash udp6 sdfn &>$LOG | |
| /usr/sbin/ethtool -n $1 rx-flow-hash udp6 &>$LOG | |
| /usr/sbin/ethtool -n $1 rx-flow-hash udp4 &>$LOG | |
| /usr/sbin/ethtool -C $1 rx-usecs 10 &>$LOG | |
| /usr/sbin/ethtool -C $1 adaptive-rx off &>$LOG | |
| /usr/sbin/ethtool -G $1 rx 4096 &>$LOG | |
| # Disable ipv6 | |
| echo 1 > /proc/sys/net/ipv6/conf/$1/disable_ipv6 &>$LOG | |
| echo 0 > /proc/sys/net/ipv6/conf/$1/autoconf &>$LOG | |
| # Set promiscuous mode | |
| ip link set $1 promisc on &>$LOG | |
| # Just in case ipv6 is already on this interfaces, let's kill it | |
| ip addr show dev $1 | grep --silent inet6 | |
| if [ $? -eq 0 ] | |
| then | |
| ADDR=$(ip addr show dev $1 | grep inet6 | awk '{ print $2 }') | |
| ip addr del $ADDR dev $1 &>$LOG | |
| fi | |
| ;; | |
| *) | |
| # No post commands needed for this interface | |
| ;; | |
| esac | |
| ----------------------------------------------- | |
| Add executable permissions for ifup-local script | |
| ------------------------------------------------ | |
| chmod +x /sbin/ifup-local | |
| ------------------------------------ | |
| sysctl parameters tunning - /etc/sysctl.conf | |
| ------------------------------------ | |
| echo 'net.core.somaxconn = 20000' >> /etc/sysctl.conf | |
| echo 'net.core.wmem_max = 67108864' >> /etc/sysctl.conf | |
| echo 'net.core.rmem_max = 67108864' >> /etc/sysctl.conf | |
| echo 'net.core.netdev_max_backlog = 20000' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_max_tw_buckets = 262144' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_max_syn_backlog = 8096' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_retrans_collapse = 1' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_max_syn_backlog = 8096' >> /etc/sysctl.conf | |
| echo 'net.ipv4.ip_local_port_range = 16384 61000' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_mem = 2303808 3071744 67108864' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_wmem = 4096 524288 67108864' >> /etc/sysctl.conf | |
| echo 'net.ipv4.tcp_rmem = 4096 524288 67108864' >> /etc/sysctl.conf | |
| # To get a list of congestion control algorithms that are available in your kernel (if you are running 2.6.20 or higher), run: | |
| # sysctl net.ipv4.tcp_available_congestion_control | |
| # Reference - https://fasterdata.es.net/host-tuning/linux/expert/ | |
| # Do a 'modprobe tcp_htcp' | |
| echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.conf | |
| #net.ipv4.tcp_available_congestion_control = htcp cubic reno | |
| #net.ipv4.tcp_allowed_congestion_control = htcp cubic reno | |
| echo 'net.core.rmem_default = 67108864' >> /etc/sysctl.conf | |
| echo 'net.core.wmem_default = 67108864' >> /etc/sysctl.conf | |
| echo 'fs.file-max = 2442072' >> /etc/sysctl.conf | |
| Apply the above settings | |
| sudo sysctl -p | |
| ----------------------- | |
| Install EPEL repository | |
| --------------------------- | |
| wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6.8.noarch.rpm | |
| rpm -ivh epel-release-6.8.noarch.rpm | |
| -------------------- | |
| Upgrade cmake if required | |
| ------------------- | |
| # cmake version of CentOS 6/Scientific Linux 6 repository is old. - cmake-2.6.4-5.el6.x86_64 | |
| # EPEL repository contains cmake 2.8 version - cmake28-2.8.11.2-1.el6.x86_64 | |
| #yum remove cmake | |
| yum install cmake28 | |
| ln -s /usr/bin/cmake28 /usr/bin/cmake | |
| ln -s /usr/bin/ccmake28 /usr/bin/ccmake | |
| ln -s /usr/bin/cpack28 /usr/bin/cpack | |
| ln -s /usr/bin/ctest28 /usr/bin/ctest | |
| If you wish, you can download rpm from internet or look for cmake28 or later in CentOS6.x/SL6.x repositories. | |
| ---------------------------- | |
| Install Bro dependencies | |
| ---------------------------- | |
| yum install kernel-devel kernel-headers -y | |
| yum install make autoconf automake gcc gcc-c++ flex bison libpcap libpcap-devel -y | |
| yum install openssl openssl-devel python-devel swig zlib zlib-devel -y | |
| yum install openssl-libs bind-libs -y | |
| yum install gawk -y | |
| yum install pcre-devel -y | |
| yum install libtool -y | |
| yum install numactl numactl-devel -y | |
| yum install gperftools-libs gperftools-devel -y | |
| yum install GeoIP GeoIP-devel -y | |
| yum install jemalloc jemalloc-devel -y | |
| yum install curl -y | |
| yum install libcurl-devel -y | |
| yum install file-devel -y | |
| yum install libarchive libarchive-devel -y | |
| --------------------------- | |
| ipsumdump installation | |
| ---------------------------- | |
| #wget http://www.read.seas.harvard.edu/~kohler/ipsumdump | |
| #tar -zxvf ipsumdump-1.85.tar.gz | |
| #cd ipsumdump-1.85 | |
| #./configure | |
| #make && make install | |
| ----------------------------------------------------------- | |
| set environment - required during python compilation | |
| ------------------------------------------------------------- | |
| #export LDFLAGS=-L/usr/local/lib | |
| #export CFLAGS=-I/usr/local/include | |
| #export CPPFLAGS=-I/usr/local/include | |
| #export LD_LIBRARY_PATH=/usr/local/lib | |
| ------------------------------------- | |
| Python installation - 2.7.10 or more | |
| ------------------------------------ | |
| # CentOS6.x comes with python2.6 by default. Bro requires python2.7 at least for Broccoli component. | |
| #Please do not try to remove existing python version as it will remove many python dependent packages e.g. yum requires python2.6 that comes default with SL/CentOS distribution. | |
| # So, install python 2.7.x in addition to existing python 2.6.6 | |
| #wget http://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz | |
| #tar -zxvf Python-2.7.10.tgz | |
| #cd Python-2.7.10 | |
| #./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib" | |
| #make | |
| #make altinstall | |
| #ln -s /usr/local/bin/python2.7 /usr/bin/python2.7 | |
| Add python to system path | |
| #export PATH=$PATH:/usr/local/bin/python2.7 | |
| ------------------------ | |
| python pip installation | |
| -------------------------- | |
| # wget get-pip.py from https://bootstrap.pypa.io/get-pip.py | |
| #python2.7 get-pip.py | |
| #ln -s /usr/local/bin/pip2.7 /usr/bin/pip2.7 | |
| ---------------------------------------------------------- | |
| Install python pysubnettree module and handle sqlite3 issue | |
| ----------------------------------------------------------- | |
| # It is presumed that python(python2.6.10) has been installed as a part of default installation. Copy sqlite3.so module to new python path | |
| #cp /usr/lib64/python2.6/lib-dynload/_sqlite3.so /usr/local/lib/python2.7/sqlite3/ | |
| Now, install pysubnettree python package: | |
| #pip2.7 install pysubnettree | |
| -------------------------------------- | |
| Download, install and configure PF_RING | |
| ----------------------------------------- | |
| You should follow instructions available at Bro site for PF_RING installation - https://www.bro.org/documentation/load-balancing.html | |
| Download the latest pf_ring source from http://www.ntop.org/get-started/download/#PF_RING | |
| Now, compile/install various libraries required for PF_RING: | |
| #cd /usr/src | |
| #tar -zxvf PF_RING-6.0.3.tar.gz | |
| #cd PF_RING-6.0.3/userland/lib | |
| #./configure --prefix=/opt/pfring | |
| #make | |
| #make install | |
| #cd ../libpcap | |
| #./configure --prefix=/opt/pfring | |
| #make | |
| #make install | |
| #cd ../tcpdump-4.1.1 | |
| #./configure --prefix=/opt/pfring | |
| #make | |
| #make install | |
| #cd ../../kernel | |
| (During kernel 'make' installation step, compile(make) it as normal user rather than as a root.) | |
| #make | |
| #make install | |
| #Note - Please make sure that your kernel-devel, kernel-headers and kernel rpms have same major/minor versions. If not, you will encounter error in make step. | |
| #e.g. | |
| # rpm -qa |grep -i kernel | |
| kernel-headers-2.6.32-431.1.2.el6.x86_64 | |
| kernel-devel-2.6.32-431.1.2.el6.x86_64 | |
| kernel-2.6.32-431.1.2.el6.x86_64 | |
| Add pf_ring module at start up: | |
| #modprobe pf_ring enable_tx_capture=0 min_num_slots=32768 | |
| ------------------------- | |
| Check status of PF_ring | |
| ------------------------- | |
| # modinfo pf_ring | |
| # cat /proc/net/pf_ring/info | |
| # lsmod |grep -i pf_ring | |
| If you wish to blacklist pf_ring module: | |
| echo "blacklist pf_ring" >> /etc/modprobe.d/blacklist.conf | |
| ------------------------------------- | |
| Download, install and configure Bro | |
| -------------------------------------- | |
| Download Bro from bro site - http://www.bro.org/download/index.html | |
| cd bro-2.4.1 | |
| ./configure --with-pcap=/opt/pfring --enable-debug --enable-perftools --enable-jemalloc | |
| make && make install | |
| Verify that Bro is using pf_ring libraries (Bro is correctly linked to the required libpcap libraries) | |
| ldd /usr/local/bro/bin/bro | grep pcap | |
| libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000) | |
| Various check that ensure that Bro is correctly configured and is working correctly as desired!! | |
| # Append a crontab entry. | |
| entry="0-55/5 * * * * $prefix/bin/broctl cron" | |
| (crontab -l; echo "$entry" ) | crontab - | |
| export PATH=$PATH:/usr/local/bro/bin | |
| Deploy bro configuration | |
| /usr/local/bro/bin/broctl deploy | |
| ------------------------------------------------------------------------------ | |
| capstats output: - make sure that nic_drops=0 otherwise, there is some issue! | |
| ------------------------------------------------------------------------------ | |
| [root@ids bro-2.4.1]# capstats -i eth1 -I 10 -n 10 | |
| 1461129498.908812 pkts=150393 kpps=14.9 kbytes=111351 mbps=90.4 nic_pkts=150393 nic_drops=0 u=29 t=75160 i=0 o=0 nonip=75204 | |
| 1461129508.908865 pkts=163641 kpps=16.4 kbytes=124721 mbps=102.2 nic_pkts=314034 nic_drops=0 u=15 t=81798 i=0 o=0 nonip=81828 | |
| 1461129518.908912 pkts=137845 kpps=13.8 kbytes=102063 mbps=83.6 nic_pkts=451879 nic_drops=0 u=46 t=68869 i=0 o=0 nonip=68930 | |
| 1461129528.908962 pkts=149581 kpps=15.0 kbytes=107227 mbps=87.8 nic_pkts=601460 nic_drops=0 u=30 t=74753 i=0 o=0 nonip=74798 | |
| 1461129538.909008 pkts=157781 kpps=15.8 kbytes=122515 mbps=100.4 nic_pkts=759241 nic_drops=0 u=17 t=78866 i=0 o=0 nonip=78898 | |
| 1461129548.910683 pkts=155546 kpps=15.6 kbytes=120246 mbps=98.5 nic_pkts=914787 nic_drops=0 u=30 t=77736 i=0 o=0 nonip=77780 | |
| 1461129558.910729 pkts=201705 kpps=20.2 kbytes=162725 mbps=133.3 nic_pkts=1116492 nic_drops=0 u=19 t=100825 i=1 o=0 nonip=100860 | |
| 1461129568.910775 pkts=201740 kpps=20.2 kbytes=162592 mbps=133.2 nic_pkts=1318232 nic_drops=0 u=34 t=100828 i=0 o=0 nonip=100878 | |
| 1461129578.910825 pkts=264087 kpps=26.4 kbytes=224337 mbps=183.8 nic_pkts=1582319 nic_drops=0 u=16 t=132020 i=0 o=0 nonip=132051 | |
| 1461129588.910871 pkts=163697 kpps=16.4 kbytes=129138 mbps=105.8 nic_pkts=1746016 nic_drops=0 u=30 t=81810 i=1 o=0 nonip=81856 | |
| ------------------------------------------------------------------ | |
| netstats using broctl: make sure that dropped=0 is present always! | |
| ------------------------------------------------------------------- | |
| [root@ids bro-2.4.1]# broctl netstats | |
| worker-1-1: 1461130120.469154 recvd=3605586 dropped=0 link=3605586 | |
| worker-1-2: 1461130120.667704 recvd=3060021 dropped=0 link=3060021 | |
| worker-2-1: 1461130120.870726 recvd=3275393 dropped=0 link=3275393 | |
| worker-2-2: 1461130121.074453 recvd=3205035 dropped=0 link=3205035 | |
| worker-3-1: 1461130121.272134 recvd=5599450 dropped=0 link=5599450 | |
| worker-3-2: 1461130121.492023 recvd=3260891 dropped=0 link=3260891 | |
| worker-4-1: 1461130121.674467 recvd=2749362 dropped=0 link=2749362 | |
| worker-4-2: 1461130121.874181 recvd=2911576 dropped=0 link=2911576 | |
| ---------------------- | |
| Capture loss script | |
| ---------------------- | |
| Do not forget to add capture loss script to bro site configuration: | |
| [root@ids bro-2.4.1]# cat /usr/local/bro/share/bro/site/local.bro |grep -i cap | |
| @load misc/capture-loss.bro | |
| Check if any packet loss is reported in notice.log | |
| [root@ids bro-2.4.1]# tail -f /backup/bro/logs/current/notice.log |grep -i capture | |
| ---------------------------------------------------------------------- | |
| Ethernet interface statistics - have a look to see if everything is ok! | |
| ----------------------------------------------------------------------- | |
| [root@ids userland]# ethtool -S eth1 | |
| NIC statistics: | |
| rx_packets: 44394071916 | |
| tx_packets: 6 | |
| rx_bytes: 41858558934856 | |
| tx_bytes: 492 | |
| rx_broadcast: 11568535 | |
| tx_broadcast: 0 | |
| rx_multicast: 2808 | |
| tx_multicast: 6 | |
| rx_errors: 8 | |
| tx_errors: 0 | |
| tx_dropped: 0 | |
| multicast: 2808 | |
| collisions: 0 | |
| rx_length_errors: 8 | |
| rx_over_errors: 0 | |
| rx_crc_errors: 0 | |
| rx_frame_errors: 0 | |
| rx_no_buffer_count: 1429 | |
| rx_missed_errors: 578 | |
| tx_aborted_errors: 0 | |
| tx_carrier_errors: 0 | |
| tx_fifo_errors: 0 | |
| tx_heartbeat_errors: 0 | |
| tx_window_errors: 0 | |
| tx_abort_late_coll: 0 | |
| tx_deferred_ok: 0 | |
| tx_single_coll_ok: 0 | |
| tx_multi_coll_ok: 0 | |
| tx_timeout_count: 0 | |
| tx_restart_queue: 0 | |
| rx_long_length_errors: 0 | |
| rx_short_length_errors: 8 | |
| rx_align_errors: 0 | |
| tx_tcp_seg_good: 0 | |
| tx_tcp_seg_failed: 0 | |
| rx_flow_control_xon: 0 | |
| rx_flow_control_xoff: 0 | |
| tx_flow_control_xon: 0 | |
| tx_flow_control_xoff: 0 | |
| rx_long_byte_count: 41858558934856 | |
| rx_csum_offload_good: 43716692832 | |
| rx_csum_offload_errors: 0 | |
| rx_header_split: 0 | |
| alloc_rx_buff_failed: 0 | |
| tx_smbus: 0 | |
| rx_smbus: 0 | |
| dropped_smbus: 0 | |
| rx_dma_failed: 0 | |
| tx_dma_failed: 0 | |
| rx_hwtstamp_cleared: 0 | |
| uncorr_ecc_errors: 0 | |
| corr_ecc_errors: 0 | |
| tx_hwtstamp_timeouts: 0 | |
| -------------------------- | |
| Ethernet statistics | |
| --------------------------- | |
| [root@ids userland]# ethtool -c eth1 | |
| Coalesce parameters for eth1: | |
| Adaptive RX: off TX: off | |
| stats-block-usecs: 0 | |
| sample-interval: 0 | |
| pkt-rate-low: 0 | |
| pkt-rate-high: 0 | |
| rx-usecs: 3 | |
| rx-frames: 0 | |
| rx-usecs-irq: 0 | |
| rx-frames-irq: 0 | |
| tx-usecs: 0 | |
| tx-frames: 0 | |
| tx-usecs-irq: 0 | |
| tx-frames-irq: 0 | |
| rx-usecs-low: 0 | |
| rx-frame-low: 0 | |
| tx-usecs-low: 0 | |
| tx-frame-low: 0 | |
| rx-usecs-high: 0 | |
| rx-frame-high: 0 | |
| tx-usecs-high: 0 | |
| tx-frame-high: 0 | |
| ------------------ | |
| PF_RING outputs | |
| ------------------- | |
| [root@ids userland]# cat /proc/net/pf_ring/info | |
| PF_RING Version : 6.0.3 ($Revision: exported$) | |
| Total rings : 8 | |
| Standard (non DNA/ZC) Options | |
| Ring slots : 32768 | |
| Slot version : 16 | |
| Capture TX : No [RX only] | |
| IP Defragment : No | |
| Socket Mode : Standard | |
| Total plugins : 0 | |
| Cluster Fragment Queue : 0 | |
| Cluster Fragment Discard : 0 | |
| [root@ids userland]# cat /proc/net/pf_ring/21751-eth1.12 | |
| Bound Device(s) : eth1 | |
| Active : 1 | |
| Breed : Standard | |
| Appl. Name : bro-eth1 | |
| Socket Mode : RX+TX | |
| Capture Direction : RX+TX | |
| Sampling Rate : 1 | |
| IP Defragment : No | |
| BPF Filtering : Enabled | |
| # Sw Filt. Rules : 0 | |
| # Hw Filt. Rules : 0 | |
| Poll Pkt Watermark : 1 | |
| Num Poll Calls : 8073938 | |
| Channel Id Mask : 0xFFFFFFFFFFFFFFFF | |
| Cluster Id : 21 | |
| Slot Version : 16 [6.0.3] | |
| Min Num Slots : 32768 | |
| Bucket Len : 8192 | |
| Slot Len : 8232 [bucket+header] | |
| Tot Memory : 269758464 | |
| Tot Packets : 3090727 | |
| Tot Pkt Lost : 0 | |
| Tot Insert : 3090727 | |
| Tot Read : 3090717 | |
| Insert Offset : 251171448 | |
| Remove Offset : 251168624 | |
| Num Free Slots : 32758 | |
| TX: Send Ok : 0 | |
| TX: Send Errors : 0 | |
| Reflect: Fwd Ok : 0 | |
| Reflect: Fwd Errors: 0 | |
| ------------------ | |
| Bro - configuration | |
| --------------------- | |
| [root@ids userland]# broctl config | |
| bindir = /usr/local/bro/bin | |
| bro = /usr/local/bro/bin/bro | |
| bro-crashed = False | |
| bro-expect-running = False | |
| bro-host = localhost | |
| bro-pid = None | |
| bro-port = 47760 | |
| broargs = | |
| brobase = /usr/local/bro | |
| broctlconfigdir = /backup/bro/spool | |
| broport = 47760 | |
| broscriptdir = /usr/local/bro/share/bro | |
| broversion = 2.4.1 | |
| capstatspath = /usr/local/bro/bin/capstats | |
| cfgdir = /usr/local/bro/etc | |
| cflowaddress = | |
| cflowpassword = | |
| cflowuser = | |
| commandtimeout = 60 | |
| commtimeout = 10 | |
| compresscmd = gzip -9 | |
| compressextension = gz | |
| compresslogs = 1 | |
| cron = 0 | |
| croncmd = | |
| debug = 0 | |
| debuglog = /backup/bro/spool/debug.log | |
| env_vars = | |
| hash-broctlcfg = 3467248684 | |
| hash-nodecfg = 1814322202 | |
| havenfs = 0 | |
| helperdir = /usr/local/bro/share/broctl/scripts/helpers | |
| ipv6comm = 1 | |
| keeplogs = | |
| libdir = /usr/local/bro/lib | |
| libdirinternal = /usr/local/bro/lib/broctl | |
| localnetscfg = /usr/local/bro/etc/networks.cfg | |
| lockfile = /backup/bro/spool/lock | |
| logdir = /backup/bro/logs | |
| logexpireinterval = 0 | |
| logrotationinterval = 3600 | |
| mailalarmsinterval = 86400 | |
| mailalarmsto = root@localhost | |
| mailconnectionsummary = 1 | |
| mailfrom = Big Brother <bro@ids.test.in> | |
| mailhostupdown = 1 | |
| mailreplyto = | |
| mailsubjectprefix = [Bro] | |
| mailto = root@localhost | |
| makearchivename = /usr/local/bro/share/broctl/scripts/make-archive-name | |
| manager-crashed = False | |
| manager-expect-running = True | |
| manager-host = localhost | |
| manager-pid = 21649 | |
| manager-port = 47761 | |
| memlimit = unlimited | |
| mindiskspace = 5 | |
| nodecfg = /usr/local/bro/etc/node.cfg | |
| os = linux | |
| pfringclusterid = 21 | |
| pfringclustertype = 4-tuple | |
| pfringfirstappinstance = 0 | |
| pin_command = taskset -c | |
| plugindir = /usr/local/bro/lib/broctl/plugins | |
| policydir = /usr/local/bro/share/bro | |
| policydirsiteinstall = /backup/bro/spool/installed-scripts-do-not-touch/site | |
| policydirsiteinstallauto = /backup/bro/spool/installed-scripts-do-not-touch/auto | |
| postprocdir = /usr/local/bro/share/broctl/scripts/postprocessors | |
| prefixes = local | |
| proxy-1-crashed = False | |
| proxy-1-expect-running = True | |
| proxy-1-host = localhost | |
| proxy-1-pid = 21687 | |
| proxy-1-port = 47762 | |
| savetraces = 0 | |
| scriptsdir = /usr/local/bro/share/broctl/scripts | |
| sendmail = /usr/sbin/sendmail | |
| sigint = 0 | |
| sitepluginpath = | |
| sitepolicymanager = local-manager.bro | |
| sitepolicypath = /usr/local/bro/share/bro/site | |
| sitepolicystandalone = local.bro | |
| sitepolicyworker = local-worker.bro | |
| spooldir = /backup/bro/spool | |
| standalone = 0 | |
| statefile = /backup/bro/spool/state.db | |
| staticdir = /usr/local/bro/share/broctl | |
| statsdir = /backup/bro/logs/stats | |
| statslog = /backup/bro/spool/stats.log | |
| statslogenable = 1 | |
| statslogexpireinterval = 0 | |
| statuscmdshowall = 1 | |
| stoptimeout = 60 | |
| test.enabled = 0 | |
| test.foo = 1 | |
| time = /usr/bin/time | |
| timefmt = %d %b %H:%M:%S | |
| timemachinehost = | |
| timemachineport = 47757/tcp | |
| tmpdir = /backup/bro/spool/tmp | |
| tmpexecdir = /backup/bro/spool/tmp | |
| tracesummary = /usr/local/bro/bin/trace-summary | |
| version = 1.4 | |
| worker-1-1-crashed = False | |
| worker-1-1-expect-running = True | |
| worker-1-1-host = localhost | |
| worker-1-1-pid = 21751 | |
| worker-1-1-port = 47763 | |
| worker-1-2-crashed = False | |
| worker-1-2-expect-running = True | |
| worker-1-2-host = localhost | |
| worker-1-2-pid = 21774 | |
| worker-1-2-port = 47764 | |
| worker-1-3-crashed = False | |
| worker-1-3-expect-running = False | |
| worker-1-3-host = localhost | |
| worker-1-3-pid = None | |
| worker-1-3-port = 47765 | |
| worker-1-crashed = False | |
| worker-1-expect-running = False | |
| worker-1-host = localhost | |
| worker-1-pid = None | |
| worker-1-port = 47763 | |
| worker-2-1-crashed = False | |
| worker-2-1-expect-running = True | |
| worker-2-1-host = localhost | |
| worker-2-1-pid = 21782 | |
| worker-2-1-port = 47765 | |
| worker-2-2-crashed = False | |
| worker-2-2-expect-running = True | |
| worker-2-2-host = localhost | |
| worker-2-2-pid = 21796 | |
| worker-2-2-port = 47766 | |
| worker-2-3-crashed = False | |
| worker-2-3-expect-running = False | |
| worker-2-3-host = localhost | |
| worker-2-3-pid = None | |
| worker-2-3-port = 47768 | |
| worker-2-crashed = False | |
| worker-2-expect-running = False | |
| worker-2-host = localhost | |
| worker-2-pid = None | |
| worker-2-port = 47764 | |
| worker-3-1-crashed = False | |
| worker-3-1-expect-running = True | |
| worker-3-1-host = localhost | |
| worker-3-1-pid = 21802 | |
| worker-3-1-port = 47767 | |
| worker-3-2-crashed = False | |
| worker-3-2-expect-running = True | |
| worker-3-2-host = localhost | |
| worker-3-2-pid = 21804 | |
| worker-3-2-port = 47768 | |
| worker-3-3-crashed = False | |
| worker-3-3-expect-running = False | |
| worker-3-3-host = localhost | |
| worker-3-3-pid = None | |
| worker-3-3-port = 47771 | |
| worker-3-crashed = False | |
| worker-3-expect-running = False | |
| worker-3-host = localhost | |
| worker-3-pid = None | |
| worker-3-port = 47765 | |
| worker-4-1-crashed = False | |
| worker-4-1-expect-running = True | |
| worker-4-1-host = localhost | |
| worker-4-1-pid = 21803 | |
| worker-4-1-port = 47769 | |
| worker-4-2-crashed = False | |
| worker-4-2-expect-running = True | |
| worker-4-2-host = localhost | |
| worker-4-2-pid = 21808 | |
| worker-4-2-port = 47770 | |
| worker-4-crashed = False | |
| worker-4-expect-running = False | |
| worker-4-host = localhost | |
| worker-4-pid = None | |
| worker-4-port = 47766 | |
| worker-5-crashed = False | |
| worker-5-expect-running = False | |
| worker-5-host = localhost | |
| worker-5-pid = None | |
| worker-5-port = 47767 | |
| zoneid = | |
| ----------------------------- | |
| Bro - node configuration | |
| ------------------------------ | |
| [root@ids bro-2.4.1]# cat /usr/local/bro/etc/node.cfg | |
| # Example BroControl node configuration. | |
| # | |
| # This example has a standalone node ready to go except for possibly changing | |
| # the sniffing interface. | |
| # This is a complete standalone configuration. Most likely you will | |
| # only need to change the interface. | |
| #[bro] | |
| #type=standalone | |
| #host=localhost | |
| #interface=eth1 | |
| ## Below is an example clustered configuration. If you use this, | |
| ## remove the [bro] node above. | |
| [manager] | |
| type=manager | |
| host=localhost | |
| # | |
| [proxy-1] | |
| type=proxy | |
| host=localhost | |
| # | |
| [worker-1] | |
| type=worker | |
| host=localhost | |
| interface=eth1 | |
| lb_method=pf_ring | |
| # approx. guidance - number of lb_procs to be half of number of CPU/Cores available. | |
| lb_procs=2 | |
| pin_cpus=2,3 | |
| # | |
| [worker-2] | |
| type=worker | |
| host=localhost | |
| interface=eth1 | |
| lb_method=pf_ring | |
| lb_procs=2 | |
| pin_cpus=2,3 | |
| # | |
| [worker-3] | |
| type=worker | |
| host=localhost | |
| interface=eth1 | |
| lb_method=pf_ring | |
| lb_procs=2 | |
| pin_cpus=2,3 | |
| [worker-4] | |
| type=worker | |
| host=localhost | |
| interface=eth1 | |
| lb_method=pf_ring | |
| lb_procs=2 | |
| pin_cpus=2,3 | |
| #[worker-5] | |
| #type=worker | |
| #host=localhost | |
| #interface=eth1 | |
| ------------------------- | |
| NIC buffer configurations | |
| ----------------------- | |
| [root@ids userland]# sysctl -a |grep net.core.rmem | |
| net.core.rmem_max = 67108864 | |
| net.core.rmem_default = 67108864 | |
| [root@ids userland]# sysctl -a |grep tcp_rmem | |
| net.ipv4.tcp_rmem = 4096 524288 16777216 | |
| [root@ids userland]# sysctl -a |grep netdev_max | |
| net.core.netdev_max_backlog = 20000 | |
| ----------------- | |
| Interesting links | |
| ----------------- | |
| https://github.com/Security-Onion-Solutions/security-onion/wiki/NetworkConfiguration | |
| http://ossectools.blogspot.in/2012/10/multi-node-bro-cluster-setup-howto.html | |
| https://www.bro.org/documentation/load-balancing.html | |
| https://www.sans.org/reading-room/whitepapers/detection/capturing-10g-1g-traffic-correct-settings-33043 | |
| https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment | |
| Performance and security related sysctl settings - https://github.com/zchee/h2o-proxy/blob/master/sysctl.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment