mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
104 lines
2.6 KiB
Text
104 lines
2.6 KiB
Text
Prerequisites
|
|
=============
|
|
|
|
Bro relies on the following libraries and tools, which need to be installed
|
|
before you begin with the installation:
|
|
|
|
* Libpcap
|
|
If libpcap is already installed on the system, by default Bro
|
|
will use that one. Otherwise, it falls back to a version shipped
|
|
with the Bro distribution.
|
|
|
|
* Flex
|
|
Flex is already installed on most systems, so with luck you can
|
|
skip having to install it yourself.
|
|
|
|
* Bison or byacc
|
|
These come with many systems, but if you get errors compiling
|
|
parse.y, you will need to install them. bison is available
|
|
from GNU sites such as ftp.gnu.org.
|
|
|
|
* BIND8 headers and libraries
|
|
These are usually already installed as well.
|
|
|
|
* Autotools
|
|
If you have checked the source out from Bro's Subversion
|
|
repository, you need the autotools suite installed. In this
|
|
case, run "./autogen.sh" first right after the check out.
|
|
Otherwise the installation steps below will fail.
|
|
|
|
Bro can also make uses of some optional libraries if they are found at
|
|
installation time:
|
|
|
|
* OpenSSL
|
|
For analysis of SSL certificates by the HTTP analyzer, and
|
|
for encrypted Bro-to-Bro communication.
|
|
|
|
* Libmagic
|
|
For identifying file types (e.g., in FTP transfers).
|
|
|
|
* LibGeoIP
|
|
For geo-locating IP addresses.
|
|
|
|
* Libz
|
|
For decompressing HTTP bodies by the HTTP analyzer, and for
|
|
compressed Bro-to-Bro communication.
|
|
|
|
* Endace's DAG tools:
|
|
For native support of Endace DAG cards.
|
|
|
|
|
|
Installation
|
|
============
|
|
|
|
To build and install into /usr/local:
|
|
|
|
> ./configure
|
|
> make
|
|
> make install
|
|
|
|
This will install the Bro binary into /usr/local/bin/bro and the policy
|
|
files into /usr/local/share/bro.
|
|
|
|
As usual you can specify a different installation directory with
|
|
|
|
> ./configure --prefix=<dir>".
|
|
|
|
Run "./configure --help" for more options.
|
|
|
|
|
|
Running Bro
|
|
===========
|
|
|
|
Bro is a complex program and it takes a bit of time to get familiar
|
|
with it. In the following we give a few simple examples. See
|
|
http://www.bro-ids.org/wiki for more information.
|
|
|
|
To run a policy file from /usr/local/share/bro, such as mt.bro, on a
|
|
previously captured tcpdump save file named foo:
|
|
|
|
bro -r foo mt.bro
|
|
|
|
To run from interface le0:
|
|
|
|
bro -i le0 mt
|
|
|
|
You can alternatively specify interface and scripts to load in your own
|
|
policy file:
|
|
|
|
@load mt
|
|
redef interfaces = "le0";
|
|
|
|
and then run
|
|
|
|
bro ./my-policy.bro
|
|
|
|
You can see the BPF filter Bro will use (if not overridden) by executing
|
|
|
|
bro mt print-filter
|
|
|
|
To run interactively (e.g., for playing with expression evaluation):
|
|
|
|
bro
|
|
|
|
"bro -h" lists the various options.
|