Last active
July 25, 2019 04:33
-
-
Save dcode/1a4a5c93371dfccde596 to your computer and use it in GitHub Desktop.
Build Bro nightly & bro-plugins on CentOS 7.x
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Build Bro from Source on CentOS 7 | |
| ## Install EPEL | |
| sudo yum -y install epel-release | |
| ## Install runtime dependencies - These will be needed once the RPM is built | |
| sudo yum -y install libpcap openssl-libs bind-libs zlib bash python libcurl gawk GeoIP jemalloc | |
| ## Install the build dependencies | |
| sudo yum -y install @development libpcap-devel openssl-devel bind-devel zlib-devel cmake git perl libcurl-devel GeoIP-devel python-devel jemalloc-devel swig rpmdevtools | |
| ## Pull down nightly source RPM (get current url from: http://download.opensuse.org/repositories/network:/bro/CentOS_7/src/) | |
| rpm -i http://download.opensuse.org/repositories/network:/bro/CentOS_7/src/bro-nightly-2.4-38.1.src.rpm | |
| ## Build bro, but leave build tree for plugin build, binary packages will be in ${HOME}/rpmbuild/RPMS | |
| cd ${HOME}/rpmbuild; rpmbuild -ba SPECS/bro-nightly.spec --noclean | |
| # Install packages | |
| sudo yum install -y ${HOME}/rpmbuild/RPMS/x86_64/{bro-nightly-core,libbroccoli-nightly,broctl-nightly,bro-nightly,bro-nightly-debuginfo}*.x86_64.rpm | |
| mkdir -p ${HOME}/src/; cd ${HOME}/src | |
| ## Checkout bro plugins | |
| git clone https://github.com/bro/bro-plugins.git | |
| # AF_PACKET requires kernel-devel | |
| sudo yum install -y kernel-devel-$(uname -r) | |
| ## Build plugin | |
| cd bro-plugins/af_packet | |
| ./configure --bro-dist=${HOME}/rpmbuild/BUILD/bro-nightly; make | |
| # Create bro plugin directory if it doesn't exist | |
| sudo mkdir -p /opt/bro-nightly/lib/bro/plugins | |
| sudo make install | |
| ## Install node config for Bro to use AF_PACKET (same file as listed in this gist) | |
| sudo curl -L -o /opt/bro-nightly/etc/node.cfg 'https://gist.githubusercontent.com/dcode/1a4a5c93371dfccde596/raw/ea46b59ef85aec4fbb374cf1618ed4183bda41ed/node.cfg' | |
| sudo curl -L -o /sbin/ifup-local 'https://gist.githubusercontent.com/dcode/1a4a5c93371dfccde596/raw/0ac3801d8c569a80d4a26c5791ef3e65674712ef/ifup-local' | |
| sudo chmod +x /sbin/ifup-local | |
| sudo curl -L -o /etc/sysconfig/network-scripts/ifcfg-em1 'https://gist.githubusercontent.com/dcode/1a4a5c93371dfccde596/raw/fa08d5f4992760da895495fbaf666abc6d0f0227/ifcfg-em1' | |
| sudo service NetworkManager stop | |
| sudo service network start | |
| # Install bro config and start | |
| /opt/bro-nightly/bin/broctl install | |
| /opt/bro-nightly/bin/broctl start | |
| # Repeat for other plugins you'd like to build |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DEVICE=em1 | |
| ONBOOT=yes | |
| HWADDR=5C:26:0A:73:0C:AE | |
| TYPE=Ethernet | |
| BOOTPROTO=none | |
| NM_CONTROLLED=no | |
| IPV4_FAILURE_FATAL=no | |
| IPV6_AUTOCONF=no |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # File: /sbin/ifup-local | |
| # | |
| # This script is run after normal sysconfig network-script configuration | |
| # is performed on RHEL/CentOS-based systems. | |
| # | |
| # Parameters: | |
| # $1: network interface name | |
| # | |
| # Post ifup configuration for tuning capture interfaces | |
| # This is compatible with the ixgbe driver, YMMV | |
| # Change this to something like /tmp/ifup-local.log for troubleshooting | |
| #LOG=/dev/null | |
| LOG=/tmp/ifup-local.log | |
| case $1 in | |
| em1) | |
| for i in rx tx sg tso ufo gso gro lro rxvlan txvlan | |
| do | |
| ethtool -K $1 $i off &>$LOG | |
| done | |
| ethtool -N $1 rx-flow-hash udp4 sdfn &>$LOG | |
| ethtool -N $1 rx-flow-hash udp6 sdfn &>$LOG | |
| ethtool -n $1 rx-flow-hash udp6 &>$LOG | |
| ethtool -n $1 rx-flow-hash udp4 &>$LOG | |
| ethtool -C $1 rx-usecs 10 &>$LOG | |
| ethtool -C $1 adaptive-rx off &>$LOG | |
| ethtool -G $1 rx 4096 &>$LOG | |
| # Disable ipv6 | |
| echo 1 > /proc/sys/net/ipv6/conf/$1/disable_ipv6 &>$LOG | |
| echo 0 > /proc/sys/net/ipv6/conf/$1/autoconf &>$LOG | |
| # Set promiscuous mode | |
| ip link set $1 promisc on &>$LOG | |
| # Just in case ipv6 is already on this interfaces, let's kill it | |
| ip addr show dev $1 | grep --silent inet6 | |
| if [ $? -eq 0 ] | |
| then | |
| ADDR=$(ip addr show dev $1 | grep inet6 | awk '{ print $2 }') | |
| ip addr del $ADDR dev $1 &>$LOG | |
| fi | |
| ;; | |
| *) | |
| # No post commands needed for this interface | |
| ;; | |
| esac |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [manager] | |
| type=manager | |
| host=127.0.0.1 | |
| # | |
| [proxy-1] | |
| type=proxy | |
| host=127.0.0.1 | |
| # AF_PACKET | |
| [worker-1] | |
| type=worker | |
| host=127.0.0.1 | |
| interface=af_packet::em1 | |
| pin_cpus=5 | |
| # AF_PACKET | |
| [worker-2] | |
| type=worker | |
| host=127.0.0.1 | |
| interface=af_packet::em1 | |
| pin_cpus=6 | |
| # AF_PACKET | |
| [worker-3] | |
| type=worker | |
| host=127.0.0.1 | |
| interface=af_packet::em1 | |
| pin_cpus=7 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This includes most of the optional dependencies from the install docs in the bro git repo. jemalloc depends on EPEL.