I’ve been working with Bro a lot lately and thought it’d be worth trying to get Bro running on pfSense. In an ideal situation, you wouldn’t normally run an IDS on your firewall, but for low bandwidth installations or the budget constrained, it’ll work fine.
1. You’ll need to enable ssh access to your pfSense firewall as it’s not enabled by default. To do this, login to pfsense and browse to System > Advanced, then scroll down to the SSH section and check ‘Enable Secure Shell’.
I recommend setting up pub key authentication by adding your public key to the admin user in pfsense. This will allow you to login via ssh without using a password. Just don’t lose your private key!
2. Now open a terminal and ssh into pfsense. Note, we’re using the ‘root’ user instead of the normal ‘admin’ you typically use to login via web interface.
ssh root@192.168.1.1
You’ll then be presented with a text interface. You’ll want to drop to a shell which is option ‘8’.
3. By default, pfSense disables upstream pkg repositories (for good reason). So lets re-enable them albeit, temporarily. There are two files you’ll need to edit.
/usr/local/etc/pkg/repos/FreeBSD.conf /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
Make it look like:
FreeBSD: { enabled: yes }
4. Now, we can update the pkg cache and get on with installing and configuring bro.
pkg update && pkg install -y bro
5. Bro should now be installed. **You should now reverse the changes you made in step 3.** You’ll need to pick which interface you’d like Bro to monitor. I’m going to monitor my (LAN) interface which equates to ‘igb1’ for my Intel NIC.
cat > /usr/local/etc/node.cfg <<EOF [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=igb1 EOF
6. Next, we’ll disable status emails, and have bro rotate logs once a day instead of the default one hour.
cat > /usr/local/etc/broctl.cfg <<EOF MailTo = root@localhost MailConnectionSummary = 0 MinDiskSpace = 0 MailHostUpDown = 0 LogRotationInterval = 86400 LogExpireInterval = 0 StatsLogEnable = 1 StatsLogExpireInterval = 1 StatusCmdShowAll = 0 CrashExpireInterval = 1 SitePolicyScripts = local.bro LogDir = /usr/local/logs SpoolDir = /usr/local/spool CfgDir = /usr/local/etc EOF
7. Have bro check your configuration and start it up. While the ‘deploy’ command will automatically run ‘check’ for you, it’s good practice to run it by itself after any modifications to Bro before deploying those changes.
broctl check && broctl deploy
8. You should now be able to watch the logs Bro is generating.
tail -f /usr/local/logs/current/*
So there you have it, bro running on pfSense. In upcoming articles, I’ll dive into parsing bro logs using `bro-cut` and also how to setup Bro to push logs into an Apache Kafka pipeline for more fun and profit.
Leave a Reply
You must be logged in to post a comment.