NETMAP is a framework for very fast packet I/O from userspace with support for FreeBSD, Linux, and even Windows. Here, we’ll show how to set Bro up to use it.
Bro provides support for monitoring interfaces using netmap. However, as of FreeBSD 11.1 (bro-2.5.1) the binary package doesn’t ship with the needed netmap plugin. Furthermore, the port doesn’t support building any auxiliary plugins. Not to worry, we’ll just install Bro from source. It’s painless, trust me. 🙂
Setup used:
– FreeBSD 11.1-RELEASE
– NIC – Intel (igb driver)
1. First, we’ll need to install the necessary dependencies for compiling bro.
pkg install -y bash git flex bison cmake libpcap python py27-sqlite3 caf swig30`
2. Download the source tarball and extract it.
mkdir /usr/local/src && cd /usr/local/src fetch https://www.bro.org/downloads/bro-2.5.2.tar.gz tar xzf bro-2.5.2.tar.gz && rm bro-2.5.2.tar.gz cd bro-2.5.2
2. Let’s compile bro. Note, if you just need the plugin (for another system with a binary install using pkg), don’t run `make install`. Instead, after performing the build, just grab `./build/dist/Bro_Netmap-0.1.tar.gz` and copy/extract it where you need (with similiar FreeBSD version). Otherwise, proceed with the typical configure, make, and make install.
./configure && make -j2 && make install
3. Now we can compile and install the netmap plugin.
cd aux/plugins/netmap ./configure && make && make install
4. Now, we just need to configure bro to use netmap. Here, we’re instructing bro to create 4 load balancer processes for monitoring the the igb1 interface.
cat >/usr/local/bro/etc/node.cfg <<EOF [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost lb_method=custom lb_procs=4 interface=netmap::igb1
If the interface you’re having Bro monitor is dedicated to Bro and nothing else, enable `promisc` on the interface. Just edit /etc/rc.conf:
ifconfig_igb3="promisc mtu 9000 up"
5. This is all well and good, however packets won’t be balanced across your four `lb_procs` without the help of a utility called `lb`. There’s currently no port for `lb` and you won’t find it with other netmap utilities shipped under `/usr/src/tools/tools/netmap`. We’ll have to compile it manually.
cd /usr/local/src fetch https://github.com/luigirizzo/netmap/archive/master.zip unzip master.zip && rm master.zip cd netmap-master/apps/lb pkg install gmake gmake cp lb /usr/local/bin/ rehash
Now, lets start `lb` in the background and fire up Bro.
Make sure to create the same amount of pipes (`-p`) as `lb_procs` from the Bro config.
lb -i igb1 -p 4& /usr/local/bro/bin/broctl deploy cd /usr/local/bro/logs/current
You should now see some logs start to roll in.
6. Okay now, let’s create some init scripts so both `lb` and `bro` start at boot time.
fetch -o /usr/local/etc/rc.d/bro https://gist.githubusercontent.com/shanerman/3988b535e9b7d1ee92afd88e47ba50da/raw/2a3e3feec2a3b9734013736e4dc43513608a9afd/bro fetch -o /usr/local/etc/rc.d/lb https://gist.githubusercontent.com/shanerman/0efe1f5c4b5c7ab083f274a3d9c14543/raw/acdb2e7d6ae3d0599a0783006de9dd8cc3672d31/lb chmod 555 /usr/local/etc/rc.d/{lb,bro}
That’s all folks. If you have any questions or tips, you can email me at shaner@shaner.life
Leave a Reply
You must be logged in to post a comment.