CentOS에서 BRO+PF_RING 설치하기

참고: https://www.bro.org/sphinx-git/configuration/index.html

# cmake 설치

yum install cmake28

# ipsumdump 설치

wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz

tar -zxvf ipsumdump-1.85.tar.gz  

cd ipsumdump-1.85 

./configure 

make && make install

# 기타 필요 모듈 설치

yum install kernel-devel kernel-headers -y 

yum install make autoconf automake gcc gcc-c++ flex bison libpcap libpcap-devel -y 

yum install openssl openssl-devel python-devel swig zlib zlib-devel -y 

yum install openssl-libs bind-libs -y 

yum install gawk -y 

yum install pcre-devel -y  

yum install libtool -y   

yum install numactl numactl-devel -y  

yum install gperftools-libs gperftools-devel -y  

yum install GeoIP GeoIP-devel -y  

yum install jemalloc jemalloc-devel 

yum install curl 

yum install libcurl-devel 

or

yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel perl

yum install GeoIP-devel

wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz

# PF_RING 설치

wget http://downloads.sourceforge.net/project/ntop/PF_RING/PF_RING-6.0.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fntop%2Ffiles%2FPF_RING%2F&ts=1444096722&use_mirror=jaist

# mv PF_RING-6.0.3.tar.gz\?r\=http\:%2F%2Fsourceforge.net%2Fprojects%2Fntop%2Ffiles%2FPF_RING%2F PF_RING-6.0.3.tar.gz

# tar xvfz PF_RING-6.0.3.tar.gz

# cd PF_RING-6.0.3/userland/lib

# ./configure —prefix=/opt/pfring

   ==> libnuma 관련 에러메세지가 나올 경우 아래와 같이 심볼릭 링크 설정 

# cd /usr/lib64

# ln -s ./libnuma.so.1 /usr/lib64/libnuma.so

# make install

# cd ../libpcap

# ./configure --prefix=/opt/pfring

# make install

# cd ../tcpdump-4.1.1/

# ./configure --prefix=/opt/pfring

# make install

# cd ../../kernel/

# make

# make install

insmod ./pf_ring.ko

modprobe pf_ring enable_tx_capture=0 min_num_slots=32768 

export CFLAGS=-I/usr/local/include

export LDFLAGS=-L/usr/local/lib

# wget https://www.bro.org/downloads/archive/bro-2.4.tar.gz

# tar xvfz bro-2.4.tar.gz

# ./configure --with-pcap=/opt/pfring

# make

# make install

libpcap 라이브러리 링크 확인

# ldd /usr/local/bro/bin/bro | grep pcap

    libpcap.so.1 => /usr/lib/libpcap.so.1 (0x0000003471e00000)

#vi http-add-post-bodies.bro

  ==> 아래 내용 삽입

https://raw.githubusercontent.com/broala/bro-snippets/master/http-add-post-bodies.bro

# cp ./http-add-post-bodies.bro /usr/local/bro/share/bro/base/protocols/http/

# cd /usr/local/bro/share/bro/base/protocols/http/

# vi __load__.bro

@load ./main

@load ./entities

@load ./utils

@load ./files

@load ./http-add-post-bodies <=  추가

@load-sigs ./dpd.sig