mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 17:18:20 +00:00
147 lines
4.3 KiB
Text
147 lines
4.3 KiB
Text
|
|
@menu
|
|
* Starting Bro Daemon::
|
|
* Running Bro from the command line::
|
|
* Bro Cron Scripts ::
|
|
@end menu
|
|
|
|
@c *********************************************************************
|
|
@node Starting Bro Daemon
|
|
@section Starting Bro Daemon
|
|
@cindex starting Bro daemon
|
|
@cindex bro.rc
|
|
|
|
Bro is automatically started at boot time via the @command{bro.rc}
|
|
script (located in @file{$BROHOME/etc} and @file{/usr/local/etc/rc.d} on
|
|
FreeBSD, or @file{/etc/init.d} on Linux).
|
|
|
|
To run this script by hand, type:
|
|
@example
|
|
bro.rc start
|
|
@end example
|
|
or
|
|
@example
|
|
bro.rc checkpoint
|
|
@end example
|
|
or
|
|
@example
|
|
bro.rc stop
|
|
@end example
|
|
|
|
Use @code{checkpoint} to restart a running Bro, loading a new policy file.
|
|
|
|
|
|
Note that under Linux, Bro must be run as the 'root' user.
|
|
Linux must have root privilages to capture packets.
|
|
|
|
@c *********************************************************************
|
|
|
|
@node Running Bro from the command line
|
|
@section Running Bro from the command line
|
|
@cindex Running Bro from the command line
|
|
|
|
If you use @code{bash} for your shell, you do something like this
|
|
to start Bro by hand:
|
|
|
|
@example
|
|
cd /usr/local/bro
|
|
. etc/bro.cfg
|
|
./bro -i eth1 -i eth2 myhost.mysite.org.bro
|
|
@end example
|
|
|
|
The '. etc/bro.cfg' should set your $BROHOME and $BROPATH
|
|
correctly to find all of the needed the files.
|
|
|
|
Files are loaded is the following order: Bro is invoked with a start
|
|
file (in the above myhost.mysite.org.bro). In that file (which is
|
|
in $BROHOME/site) there should be a couple of lines like this at
|
|
the top:
|
|
|
|
@verbatim
|
|
---------------- myhost.mysite.org.bro ----------------------------
|
|
@prefixes = local
|
|
@load site # file generated by the network script for dynamic config
|
|
# of the local network subnets.
|
|
|
|
# Make any changes to policy starting here
|
|
....
|
|
-------------- end --------------------------------------
|
|
@end verbatim
|
|
|
|
The '@@load site' will load the local.site.bro file from $BROHOME/site.
|
|
If you are making changes, you should make them in 'myhost.mysite.bro'
|
|
file.
|
|
|
|
Bro can also be run on @code{tcpdump -w} files instead of on live traffic.
|
|
To do this, you must set a @code{BROPATH} enviroment variable to point
|
|
at your set of policy scripts. For example (in csh):
|
|
|
|
@example
|
|
setenv BROHOME /usr/local/bro
|
|
setenv BROPATH $BROHOME/site:$BROHOME/policy
|
|
bro -r dumpfile brohost
|
|
@end example
|
|
|
|
More information on Bro run-time flags and environment variables
|
|
is available in the
|
|
@uref{http://www.bro-ids.org/Bro-reference-manual/Bro-flags-and-run_002dtime-environment.html,
|
|
Reference Manual}.
|
|
|
|
@c *********************************************************************
|
|
@node Bro Cron Scripts
|
|
@section Bro Cron Scripts
|
|
@cindex bro_generate_report
|
|
@cindex bro_log_compress
|
|
@cindex check_disk
|
|
@cindex managing disk space
|
|
|
|
Installing @emph{brolite} automatically creates the
|
|
following @command{cron} jobs,
|
|
which are run on at the specified intervals.
|
|
|
|
@itemize
|
|
@item @command{site-report.pl}: generates a text report of all alarms
|
|
and notifications
|
|
@item @command{mail_reports.sh}:emails the reports generated
|
|
by @command{site-report.pl}
|
|
to the list of addresses specified in the file @code{$BROHOME/etc/bro.cfg}
|
|
@end itemize
|
|
|
|
These scripts can also all be run by hand at any time. Be sure your
|
|
$BROHOME environment variable is set first.
|
|
|
|
As Bro log files can get large quickly, it is important to ensure that
|
|
the Bro disk does not fill up. Bro includes some simple scripts to help
|
|
manage disk space. Most sites will want to customize these for their
|
|
own requirements, and integrate them into their backup system to make
|
|
sure files are not removed before they are archived.
|
|
|
|
@itemize
|
|
@item @command{check_disk.sh}: send email if disk space is too low
|
|
@item @command{bro_log_compress.sh}: remove/compress old log files
|
|
@end itemize
|
|
|
|
These scripts can be customized by editing their settings in
|
|
@code{$BROHOME/etc/bro.cfg}.
|
|
The settings are as follows:
|
|
@itemize
|
|
@item @command{check_disk.sh}:
|
|
@itemize
|
|
@item @command{diskspace_pct}: when disk is >= this percent full, send
|
|
email (default = 85%)
|
|
@item @command{diskspace_watcher}: list of email addresses to send mail
|
|
to
|
|
@end itemize
|
|
@end itemize
|
|
|
|
@itemize
|
|
@item @command{bro_log_compress.sh}:
|
|
@itemize
|
|
@item @command{Days2deletion}: remove files more than this many days old
|
|
(default = 60)
|
|
@item @command{Days2compression}: compress files more than this many
|
|
days
|
|
old (default = 30)
|
|
@end itemize
|
|
@end itemize
|
|
|