Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/user-manual/Bro-software.texi

71 lines
3.2 KiB
Text
Raw Blame History

@menu
* OS platform(s) to use::
* Required software::
* Optional software::
@end menu
@node OS platform(s) to use
@section OS platform(s) to use
@cindex OS issues
Bro will run on a variety of UNIX flavors such as FreeBSD, NetBSD, and Solaris, and will also
run on Linux. Although Bro has been ported or can readily be ported to many flavors of Unix,
Bro currently runs best on FreeBSD for the following reasons:
@itemize
@item Most current development and system integration efforts are taking place on FreeBSD.
@item Compiling Bro on FreeBSD is more straightforward than on any other OS.
@item Bro performance on this platform has been extensively tested.
@item Policy scripts have been tested more on Free BSD than on any other OS.
@item Bro documentation (such as this User Manual) is oriented more towards FreeBSD than
any other flavor of Unix. Discussion of startup scripts, for example, focuses on files and
directories found in FreeBSD systems.
@end itemize
An important consideration in your choice of operating system on which Bro will run is whether
@command{BPF} runs in the kernel. Bro uses @command{BPF} to ignore packets that Bro does not need to inspect, thereby
greatly increasing Bro's efficiency. The fact that @command{BPF} is not available in Solaris is a problem,
although Solaris at least has a @command{BPF} compatibility mode that to some degree solves the problem.
@command{BPF} is also not available in most flavors of Linux, although certain flavors of Linux such as
RedHat run libpcap, making it possible to filter packets that are captured in a manner that will
make Bro run efficiently.
@node Required software
@section Required software
Additional software is necessary to support certain Bro functions. Each package or tool must be
in the Bro user's PATH (as explained more fully in Section 4):
@itemize
@item tcpdump: This enables you to use certain rules ("filters") to determine the packets that are
and are not captured on a network. You can obtain tcpdump from ftp://ftp.ee.lbl.gov
@item libpcap: Available from ftp.ee.lbl.gov. This is the packet capture library, developed at
LBNL.
@item tcpslice: Available from ftp.ee.lbl.gov. This allows for the editing and extraction of
heuristic-based TCP/IP traffic captured via tcpdump.
@item Perl: Available from ftp.perl.org. Perl version XX or higher is necessary for some of the scripts to run.
@item BIND 8 or 9: Available from ftp.isc.org.
It is necessary to run a caching DNS server on the Bro machine so that when Bro is
run to prep the entries in the policies that a more consistent resolver is used. (not clear??) This can cause
policies to not be interpreted correctly, so this is an important factor in setting up a Bro box.
The local DNS server is really present further for the DNS entries to persist throughout Bro's
operation and rotation of its logs (which requires that Bro's process be checkpointed).
@end itemize
@node Optional software
@section Optional software
The utility called @command{ipw} is also very useful. There is a package available for FreeBSD
from ftp.freebsd.org. This allows one to simply specify an IP address and it will
determine who is responsible for that IP range and provide contact information for that
person or persons.
Reference in a new issue View git blame Copy permalink