Node: Bro Configuration, Next: , Previous: Install, Up: Installation and Configuration



Bro Configuration

The Bro-Lite configuration script can be used to automatically configure Bro for you. It checks your system's BPF settings, creates a "bro" user account, installs a script to start Bro at boot time, and installs a number of cron jobs to checkpoint Bro every night, run periodic reports, and manage log files.

To run this configuration script type:

     make install-brolite
     

This will run the script bro_config, which creates the file $BROHOME/etc/bro.cfg. bro_config will ask a number of simple questions.

Sample output of bro_config, along with explanation, is shown below:

     Running Bro Configuration Utility
     Checking interfaces ....  Done.
     Reading /usr/local/bro/etc/bro.cfg.example for defaults.
     
The bro_config script looks first at ./bro.cfg, then /usr/local/bro/etc, for default values to use below.
     Bro Log archive location [/usr/local/bro/archive] 
     
This is the directory where log file archives are kept. If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
     User id to install and run Bro under [bro] 
     
bro_config will create a new user account with this username if the user does not exist.
     Interface names to listen on. [en1,en2] 
     
bro_config looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default.
     Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [] 
     Starting Report Time [0600]
     Report interval (in hours) [24]
     Email addresses for internal reports [bro@localhost] 
     Do you want to send external reports to a incident 
     		reporting org (e.g.: CERT, CIAC, etc) (Y/N)
     Y
     Email addresses for external reports [] 
     
Daily reports will be created. Enter the site name you want to appear at the top and in the subject of all email reports. The "start time" and "interval" define the window of network activity that the daily report will cover, starting at "Starting Report Time" and lasting through "Report interval". The start time should be entered using 24hr clock notation. For example: 12:30AM = 0030, 2PM = 1400

Two types of reports will be generated, "internal" and "external". Internal reports contain the same basic information as the external reports, along with traffic statistics and more detailed information on incidents. Both internal and external reports will be sent to the "internal" email address list. External reports are only sent if you answer "Y" and enter an external email address. (Note: currently only internal reports are generated)

     Do you want to encrypt the email reports (Y/N) [N]
     Y
     
If you want the email reports encrypted, you will need to set up GPG (http://www.gnupg.org) and create a GPG keyring containing the public keys of all email recipients. Instructions for this are in Encrypted Reports. Note: PGP keys are compatible with GPG, but the Bro supplied scripts require GPG, not PGP.
     Running script to determine your local subnets ... 
     Your Local subnets [198.129.224.1/32] 
     
Bro needs to know a list of your local subnets. bro_config runs a tool that attempts to discover this automatically. You should always verify the results of this tool. The format is a list of subnet/significant bits of address. For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32 This information will be stored in the file $BROHOME/site/local.site.bro
     Saving settings to file: /usr/local/bro/etc/bro.cfg
     Bro configuration finished. 
     To change these values, you can rerun bro_config at any time.
     
Indicates that the script finished successfully.

For site monitoring very high traffic rates on Gigabit Ethernet, there is some additional system tuning that should be done. See the Performance Tuning section for more details.

To reconfigure Bro, run:

     BRHOME/scripts/bro_config
     

This will update your /usr/local/bro/etc/bro.cfg file. You can also edit this file using your favorite editor if you prefer.

For other site customizations, you can edit the file $BROHOME/site/local.site.bro. For example, to tell bro to not look at traffic for host 198.162.44.66, add:

     redef restrict_filters += {
       ["ignore host 198.162.44.66 "] =
	 "not host 198.162.44.66"
     };

More details are available in the section on Customizing Bro.