User Manual: Running Bro
From BroWiki
Starting Bro Daemon
Bro is automatically started at boot time via the bro.rc
script (located in $BROHOME/etc and /usr/local/etc/rc.d on
FreeBSD, or /etc/init.d on Linux).
To run this script by hand, type:
bro.rc start
or
bro.rc checkpoint
or
bro.rc stop
Use checkpoint to restart a running Bro, loading a new policy file.
Note that under Linux, Bro must be run as the 'root' user. Linux must have root privilages to capture packets.
Running Bro from the command line
If you use bash for your shell, you do something like this
to start Bro by hand:
cd /usr/local/bro . etc/bro.cfg ./bro -i eth1 -i eth2 myhost.mysite.org.bro
The '. etc/bro.cfg' should set your $BROHOME and $BROPATH correctly to find all of the needed the files.
Files are loaded is the following order: Bro is invoked with a start file (in the above myhost.mysite.org.bro). In that file (which is in $BROHOME/site) there should be a couple of lines like this at the top:
---------------- myhost.mysite.org.bro ---------------------------- # of the local network subnets.
# Make any changes to policy starting here .... -------------- end --------------------------------------
The '@load site' will load the local.site.bro file from $BROHOME/site. If you are making changes, you should make them in 'myhost.mysite.bro' file.
Bro can also be run on tcpdump -w files instead of on live traffic.
To do this, you must set a BROPATH enviroment variable to point
at your set of policy scripts. For example (in csh):
setenv BROHOME /usr/local/bro setenv BROPATH $BROHOME/site:$BROHOME/policy bro -r dumpfile brohost
More information on Bro run-time flags and environment variables is available in the Reference Manual.
Bro Cron Scripts
Installing brolite automatically creates the
following cron jobs,
which are run on at the specified intervals.
-
site-report.pl: generates a text report of all alarms
and notifications
-
mail_reports.sh:emails the reports generated bysite-report.plto the list of addresses specified in the file$BROHOME/etc/bro.cfg
These scripts can also all be run by hand at any time. Be sure your $BROHOME environment variable is set first.
As Bro log files can get large quickly, it is important to ensure that the Bro disk does not fill up. Bro includes some simple scripts to help manage disk space. Most sites will want to customize these for their own requirements, and integrate them into their backup system to make sure files are not removed before they are archived.
-
check_disk.sh: send email if disk space is too low -
bro_log_compress.sh: remove/compress old log files.
These scripts can be customized by editing their settings in
$BROHOME/etc/bro.cfg. The settings are as follows:
-
check_disk.sh: -
diskspace_pct: when disk is >= this percent full, send email (default = 85%) -
diskspace_watcher: list of email addresses to send mail to -
bro_log_compress.sh: -
Days2deletion: remove files more than this many days old (default = 60) -
Days2compression: compress files more than this many days old (default = 30)
