Prerequisites
=============

Bro-aux relies on the following libraries and tools, which need to be installed
before you begin with the installation:

    * Libpcap headers and libraries
       Network traffic capture library

    * Flex
       Flex is already installed on most systems, so with luck you can
       skip having to install it yourself.

    * Bison
       This comes with many systems, but if you get errors compiling
       parse.y, you will need to install it.

    * Perl
       Used only during the Bro build process

    * sed
       Used only during the Bro build process

    * BIND8 headers and libraries
       These are usually already installed as well.

    * OpenSSL headers and libraries
        For analysis of SSL certificates by the HTTP analyzer, and 
        for encrypted Bro-to-Bro communication. These are likely installed,
        though some platforms may require installation of a 'devel' package
         for the headers.

    * CMake 2.8 or greater
       CMake is a cross-platform, open-source build system, typically
       not installed by default.  See http://www.cmake.org for more
       information regarding CMake and the installation steps below for
       how to use it to build this distribution.

Bro can also make uses of some optional libraries if they are found at
installation time:

    * Libmagic
      For identifying file types (e.g., in FTP transfers).
           
    * LibGeoIP
       For geo-locating IP addresses.
           
    * Libz
       For decompressing HTTP bodies by the HTTP analyzer, and for
       compressed Bro-to-Bro communication.

Installation
============

To build and install into /usr/local/bro:

    > ./configure
    > cd build
    > make
    > make install

This will perform an out-of-source build into the build directory using the
default build options and then install binaries into /usr/local/bro/bin

You can specify a different installation directory with

   > ./configure --prefix=<dir>.

Run "./configure --help" for more options. 

Running Bro
===========

Bro is a complex program and it takes a bit of time to get familiar
with it.  In the following we give a few simple examples.  See
http://www.bro-ids.org/wiki for more information.

To run a policy file from /usr/local/share/bro, such as mt.bro, on a
previously captured tcpdump save file named foo:

    bro -r foo mt.bro

To run from interface le0:

    bro -i le0 mt

You can alternatively specify interface and scripts to load in your own
policy file:

    @load mt
    redef interfaces = "le0";

and then run

    bro ./my-policy.bro

You can see the BPF filter Bro will use (if not overridden) by executing

    bro mt print-filter

To run interactively (e.g., for playing with expression evaluation):

    bro

"bro -h" lists the various options.