An Installation Script for Bro IDS on Debian Based Systems
This script compiles Bro-IDS with PF_RING support on Debian based systems. It will also assist in setting up a clustered configuration.
Please note that this type of installation is intended where performance is key. The typical setup assumes that you have one or more interfaces dedicated to capturing traffic (i.e. receive only). These interfaces will be completely taken over for capturing traffic and won't be able to be used for any other purposes.
- Run
sudo ./setup.sh. This will install PF_RING to/usr/local/pfring/and Bro to/usr/local/bro/. - Run
sudo gen-node-cfg.shto automatically generate anode.cfgconfiguration file for your system. - Edit
broctl.cfgin/usr/local/bro/etcto further tune your interfaces for performance. Uncomment the line#interfacesetup.enabled=1to enable.
- https://docs.zeek.org/en/master/quickstart/index.html
- https://docs.zeek.org/en/master/install/index.html
- https://docs.zeek.org/en/master/frameworks/geoip.html
- https://docs.zeek.org/en/master/configuration/index.html
This script has been tested on:
- Ubuntu 16.04 LTS
If you successfully use this script on your system, please submit a PR adding your OS to this list.