mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
105 lines
2.7 KiB
Text
105 lines
2.7 KiB
Text
Prerequisites
|
|
=============
|
|
|
|
Bro-aux relies on the following libraries and tools, which need to be installed
|
|
before you begin with the installation:
|
|
|
|
* Libpcap headers and libraries
|
|
Network traffic capture library
|
|
|
|
* Flex
|
|
Flex is already installed on most systems, so with luck you can
|
|
skip having to install it yourself.
|
|
|
|
* Bison
|
|
This comes with many systems, but if you get errors compiling
|
|
parse.y, you will need to install it.
|
|
|
|
* Perl
|
|
Used only during the Bro build process
|
|
|
|
* sed
|
|
Used only during the Bro build process
|
|
|
|
* BIND8 headers and libraries
|
|
These are usually already installed as well.
|
|
|
|
* OpenSSL headers and libraries
|
|
For analysis of SSL certificates by the HTTP analyzer, and
|
|
for encrypted Bro-to-Bro communication. These are likely installed,
|
|
though some platforms may require installation of a 'devel' package
|
|
for the headers.
|
|
|
|
* CMake 2.8 or greater
|
|
CMake is a cross-platform, open-source build system, typically
|
|
not installed by default. See http://www.cmake.org for more
|
|
information regarding CMake and the installation steps below for
|
|
how to use it to build this distribution.
|
|
|
|
Bro can also make uses of some optional libraries if they are found at
|
|
installation time:
|
|
|
|
* Libmagic
|
|
For identifying file types (e.g., in FTP transfers).
|
|
|
|
* LibGeoIP
|
|
For geo-locating IP addresses.
|
|
|
|
* Libz
|
|
For decompressing HTTP bodies by the HTTP analyzer, and for
|
|
compressed Bro-to-Bro communication.
|
|
|
|
Installation
|
|
============
|
|
|
|
To build and install into /usr/local:
|
|
|
|
> ./configure
|
|
> make
|
|
> make install
|
|
|
|
This will install the Bro binary into /usr/local/bin/bro and the policy
|
|
files into /usr/local/share/bro.
|
|
|
|
As usual you can specify a different installation directory with
|
|
|
|
> ./configure --prefix=<dir>".
|
|
|
|
Run "./configure --help" for more options.
|
|
|
|
|
|
Running Bro
|
|
===========
|
|
|
|
Bro is a complex program and it takes a bit of time to get familiar
|
|
with it. In the following we give a few simple examples. See
|
|
http://www.bro-ids.org/wiki for more information.
|
|
|
|
To run a policy file from /usr/local/share/bro, such as mt.bro, on a
|
|
previously captured tcpdump save file named foo:
|
|
|
|
bro -r foo mt.bro
|
|
|
|
To run from interface le0:
|
|
|
|
bro -i le0 mt
|
|
|
|
You can alternatively specify interface and scripts to load in your own
|
|
policy file:
|
|
|
|
@load mt
|
|
redef interfaces = "le0";
|
|
|
|
and then run
|
|
|
|
bro ./my-policy.bro
|
|
|
|
You can see the BPF filter Bro will use (if not overridden) by executing
|
|
|
|
bro mt print-filter
|
|
|
|
To run interactively (e.g., for playing with expression evaluation):
|
|
|
|
bro
|
|
|
|
"bro -h" lists the various options.
|