A saltstack formula to install BRO/Zeek Network Security Monitor on RHEL or Debian based systems.

Supports one capture interface at the moment. Adding ability to control multiple capture interfaces is on the TODO list

Formulas exist to help with installation and management of other components such as pf_ring.

pfring-formula https://github.com/saltstack-formulas/pfring-formula

Compile your own bro/zeek package using the guide RPM package creation for BRO IDS Deployments https://alias454.com/rpm-package-creation-for-bro-ids-deployments/.

^Meta-state (This is a state that includes other states)^.

Installs ^^bro^^ and it's requirements, manages the configuration file, and starts the service.

Manage repo files on RHEL/CentOS 7/Debian systems.

Install prerequisite packages.

Install bro packages.

Manage configuration file placement.

Manage BPF module and configuration. Supports a single bro-bpf.conf file that applies to all capture interfaces.

If using sendmail(postfix), manage relay host and service.

Manage bro service and a service to manage promiscuous mode of defined network interfaces on RHEL/CentOS 7/Debian systems.

Manage rsyslog config and service to send specifc log types to a remote collector.

Manage bro-pkg pip module and plugin installations.

Manage broctl cron entry.

Linux testing is done with kitchen-salt.

• Ruby
• Docker

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

Creates the docker instance and runs the bro main state, ready for testing.

Runs the inspec tests on the actual instance.

Removes the docker instance.

Runs all of the stages above in one go: i.e. destroy + converge + verify + destroy.

Gives you SSH access to the instance for manual testing if automated testing fails.