Prerequisites ============= Bro relies on the following libraries and tools, which need to be installed before you begin: * Libpcap headers and libraries Network traffic capture library * Flex (Fast Lexical Analyzer) Flex is already installed on most systems, so with luck you can skip having to install it yourself. * Bison (GNU Parser Generator) This comes with many systems, but if you get errors compiling parse.y, you will need to install it. * Perl Used only during the Bro build process * sed Used only during the Bro build process * BIND8 headers and libraries These are usually already installed as well. * OpenSSL headers and libraries For analysis of SSL certificates by the HTTP analyzer, and for encrypted Bro-to-Bro communication. These are likely installed, though some platforms may require installation of a 'devel' package for the headers. * CMake 2.8 or greater CMake is a cross-platform, open-source build system, typically not installed by default. See http://www.cmake.org for more information regarding CMake and the installation steps below for how to use it to build this distribution. CMake generates native Makefiles that depend on GNU Make by default. Bro can also make uses of some optional libraries if they are found at installation time: * Libmagic For identifying file types (e.g., in FTP transfers). * LibGeoIP For geo-locating IP addresses. * Libz For decompressing HTTP bodies by the HTTP analyzer, and for compressed Bro-to-Bro communication. Installation ============ To build and install into /usr/local/bro: > ./configure > cd build > make > make install This will perform an out-of-source build into the build directory using the default build options and then install binaries into /usr/local/bro/bin. You can specify a different installation directory with > ./configure --prefix= Run "./configure --help" for more options. Running Bro =========== Bro is a complex program and it takes a bit of time to get familiar with it. In the following we give a few simple examples. See http://www.bro-ids.org/wiki for more information. To run a policy file from /usr/local/share/bro, such as mt.bro, on a previously captured tcpdump save file named foo: bro -r foo mt.bro To run from interface le0: bro -i le0 mt You can alternatively specify interface and scripts to load in your own policy file: @load mt redef interfaces = "le0"; and then run bro ./my-policy.bro You can see the BPF filter Bro will use (if not overridden) by executing bro mt print-filter To run interactively (e.g., for playing with expression evaluation): bro "bro -h" lists the various options.