[Bro] Bro 1.5 sneak preview

Robin Sommer robin at icir.org
Fri Aug 21 16:20:43 PDT 2009 

We are gearing up for a Bro 1.5 release and would like to solicit
some testing of the current codebase to weed out any potentially
remaining issues ahead of time. 

This applies in particular to a new
installation/configuration/maintenance framework called
"BroControl", which will ship as part of Bro 1.5, replacing the old
BroLite system that has already been deprecated for a while now. 

BroControl allows for easy operation of a Bro setup, both for
standard single-system installations as well as in cluster setups.
It includes functionality for configuration, log archival, mail
notifications, dynamic updates, and general monitoring.

We'd much appreciate if folks could give our current development
version of Bro 1.5 and BroControl a try. In particular, trying
BroControl in both standalone and cluster operation on different
operating systems would be very helpful. So far, FreeBSD has seen
most testing, MacOS quite a bit, Linux only a little bit.

To get a copy of the current code base, use SVN:

   svn checkout http://svn.icir.org/bro/trunk/bro

You need to run "./autogen.sh" after the checkout before proceeding
with the normal ./configure. 

The default installation process should work as usual. For using
BroControl, see its documentation at

    http://svn.icir.org/bro/trunk/bro/aux/broctl/README.html

If you find any problems, or something important missing, please
file a ticket with the Bro issue tracker at

    http://tracker.icir.org/bro 

When filing a ticket regarding BroControl, please make sure to set
the ticket's component to "BroControl".


For folks running a previous version of the "cluster shell" from my
work-branch: BroControl is more or less a rebranding of the shell
and supersedes all previous versions. See below for update
instructions.

Finally, if you give this version try, please drop me a quick mail
even if things are going smoothly for you so that we can keep track
the testing this version has seen. 

Thanks a lot in advance,

Robin

--------- Update instruction ---------------------------------------------

For those folks already running a cluster installation using my work
branch updating to trunk with broctl should be easy. Just follow
these steps:

1. Backup the following files:

   - All *.cfg files found in $prefix/etc
   - The current set of logs in $prefix/logs
   - Your site policies if they are installed somewhere under $prefix

2. Delete $prefix on all nodes (or at least anything Bro related in
   there).

3. Follow the installation instructions in
   
   http://svn.icir.org/bro/trunk/bro/aux/broctl/README.html
   
   Skip the steps involving any of the *.cfg files.

   Make sure to update the cron entry to use "broctl" instead of
   "cluster".

4. Copy the saved files back into place:

   - Copy all *.cfg back into $prefix/etc. Rename "cluster.cfg" to
   "broctl.cfg".
   
   - Copy the logs back into $prefix/logs.
   
   - Copy your site policies back. The new default location for them
   is $prefix/share/bro/policy/local. Copy them there or to whatever
   path your broctl.cfg specifies.

6. Run "broctl install", then "broctl check" to make sure everythign
   works as expected.


Generally, everything should be working as before. The main
differences to the old cluster shell are (1) the executable is now
called "broctl" instead of "cluster"; and (2) "broctl install" does
no longer copy any files from the Bro distribution directory into
the installation; you need to rerun "make install-broctl" if
anything inside the Bro distribution has changed (like after an "svn
update").


-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list