@menu * Starting Bro Daemon:: * Running Bro from the command line:: * Bro Cron Scripts :: @end menu @c ********************************************************************* @node Starting Bro Daemon @section Starting Bro Daemon @cindex starting Bro daemon @cindex bro.rc Bro is automatically started at boot time via the @command{bro.rc} script (located in @file{$BROHOME/etc} and @file{/usr/local/etc/rc.d} on FreeBSD, or @file{/etc/init.d} on Linux). To run this script by hand, type: @example bro.rc start @end example or @example bro.rc checkpoint @end example or @example bro.rc stop @end example Use @code{checkpoint} to restart a running Bro, loading a new policy file. Note that under Linux, Bro must be run as the 'root' user. Linux must have root privilages to capture packets. @c ********************************************************************* @node Running Bro from the command line @section Running Bro from the command line @cindex Running Bro from the command line If you use @code{bash} for your shell, you do something like this to start Bro by hand: @example cd /usr/local/bro . etc/bro.cfg ./bro -i eth1 -i eth2 myhost.mysite.org.bro @end example The '. etc/bro.cfg' should set your $BROHOME and $BROPATH correctly to find all of the needed the files. Files are loaded is the following order: Bro is invoked with a start file (in the above myhost.mysite.org.bro). In that file (which is in $BROHOME/site) there should be a couple of lines like this at the top: @verbatim ---------------- myhost.mysite.org.bro ---------------------------- @prefixes = local @load site # file generated by the network script for dynamic config # of the local network subnets. # Make any changes to policy starting here .... -------------- end -------------------------------------- @end verbatim The '@@load site' will load the local.site.bro file from $BROHOME/site. If you are making changes, you should make them in 'myhost.mysite.bro' file. Bro can also be run on @code{tcpdump -w} files instead of on live traffic. To do this, you must set a @code{BROPATH} enviroment variable to point at your set of policy scripts. For example (in csh): @example setenv BROHOME /usr/local/bro setenv BROPATH $BROHOME/site:$BROHOME/policy bro -r dumpfile brohost @end example More information on Bro run-time flags and environment variables is available in the @uref{http://www.bro-ids.org/Bro-reference-manual/Bro-flags-and-run_002dtime-environment.html, Reference Manual}. @c ********************************************************************* @node Bro Cron Scripts @section Bro Cron Scripts @cindex bro_generate_report @cindex bro_log_compress @cindex check_disk @cindex managing disk space Installing @emph{brolite} automatically creates the following @command{cron} jobs, which are run on at the specified intervals. @itemize @item @command{site-report.pl}: generates a text report of all alarms and notifications @item @command{mail_reports.sh}:emails the reports generated by @command{site-report.pl} to the list of addresses specified in the file @code{$BROHOME/etc/bro.cfg} @end itemize These scripts can also all be run by hand at any time. Be sure your $BROHOME environment variable is set first. As Bro log files can get large quickly, it is important to ensure that the Bro disk does not fill up. Bro includes some simple scripts to help manage disk space. Most sites will want to customize these for their own requirements, and integrate them into their backup system to make sure files are not removed before they are archived. @itemize @item @command{check_disk.sh}: send email if disk space is too low @item @command{bro_log_compress.sh}: remove/compress old log files @end itemize These scripts can be customized by editing their settings in @code{$BROHOME/etc/bro.cfg}. The settings are as follows: @itemize @item @command{check_disk.sh}: @itemize @item @command{diskspace_pct}: when disk is >= this percent full, send email (default = 85%) @item @command{diskspace_watcher}: list of email addresses to send mail to @end itemize @end itemize @itemize @item @command{bro_log_compress.sh}: @itemize @item @command{Days2deletion}: remove files more than this many days old (default = 60) @item @command{Days2compression}: compress files more than this many days old (default = 30) @end itemize @end itemize