Skip to content

A saltstack formula to install BRO network security monitor on RHEL or Debian based systems

License

Notifications You must be signed in to change notification settings

alias454/bro-formula

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

bro-formula

Travis CI Build Status

A saltstack formula to install BRO/Zeek Network Security Monitor on RHEL or Debian based systems.

Supports one capture interface at the moment. Adding ability to control multiple capture interfaces is on the TODO list

Formulas exist to help with installation and management of other components such as pf_ring.

pfring-formula https://github.com/saltstack-formulas/pfring-formula

Compile your own bro/zeek package using the guide `RPM package creation for BRO IDS Deployments https://alias454.com/rpm-package-creation-for-bro-ids-deployments/`_.

Note

The FORMULA file, contains informtion about the version of this formula, tested OS and OS families, and the minimum tested version of salt.

See the full Salt Formulas installation and usage instructions.

^Meta-state (This is a state that includes other states)^.

Installs ^^bro^^ and it's requirements, manages the configuration file, and starts the service.

Manage repo files on RHEL/CentOS 7/Debian systems.

Install prerequisite packages.

Install bro packages.

Manage configuration file placement.

Manage BPF module and configuration. Supports a single bro-bpf.conf file that applies to all capture interfaces.

If using sendmail(postfix), manage relay host and service.

Manage bro service and a service to manage promiscuous mode of defined network interfaces on RHEL/CentOS 7/Debian systems.

Manage rsyslog config and service to send specifc log types to a remote collector.

Manage bro-pkg pip module and plugin installations.

Manage broctl cron entry.

Linux testing is done with kitchen-salt.

Requirements

  • Ruby
  • Docker
$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

Test options

bin/kitchen converge

Creates the docker instance and runs the bro main state, ready for testing.

bin/kitchen verify

Runs the inspec tests on the actual instance.

bin/kitchen destroy

Removes the docker instance.

bin/kitchen test

Runs all of the stages above in one go: i.e. destroy + converge + verify + destroy.

bin/kitchen login

Gives you SSH access to the instance for manual testing if automated testing fails.