User Manual: Requirements
From BroWiki
Network Tap
Bro requires a network tap to give it access to live network traffic. The tap needs to be full-speed for the link being monitored and must provide copies of both directions of the link, or you need to two taps, one in each direction.
Normally the network tap for Bro should be placed behind an external firewall and on the DMZ (the portion of the network under the control of the organization but outside of the internal firewall), as shown in the figure below. Some organizations might prefer to install the network tap outside the firewall in order to detect all scans or attacks. Placing Bro outside the firewall will allow the organization to better understand attacks, but will produce a more notifications and alarms. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms. In addition to the connection to the network tap, a separate network connection is recommended for management of Bro and access to log files.
For more information on taps and tap placement see the Netoptics White paper titled Deploying Network Taps with Intrusion Detection Systems ([1]).
Hardware and Software Requirements
Bro requires no custom hardware, and runs on low-cost commodity PC-style systems. However, the Bro monitoring host must examine every packet into and out of your site, so depending on your site's network traffic, you may need a fairly high-end machine. If you are trying to monitor a link with a large number of connections, we recommend using a second system for report generation, and run only Bro on the packet-capture host.
| Item | Requirements |
| Processor | Note: these are rough estimates. Much depends on thenumber of connections/second, the types oftraffic on your network (e.g., HTTP, FTP, email, etc.), and you can tradeoff depth of analysis (especially, which protocols are analyzed) for processingload. (See the Performance chapter of the Bro User Guide for more information.) 1 GHz CPU for 100 Mbps monitoring with average packet rate <= 5,000 packets/second 2 GHz CPU for 1 Gbps monitoring with <= 10,000 packets/second 3 GHz CPU for 1 Gbps monitoring with <= 20,000 packets/second 4 GHz CPU for 1 Gbps monitoring with <= 50,000 packets/second |
| Operating System | Recommended: FreeBSD ([2]). Bro works withmany Unix systems, including Linux and Solaris, but has been primarily tunedfor FreeBSD. We currently recommend using FreeBSD version 4.10 for Bro. If your site has a large number of packets or connections per second you shouldlook at the section on Hardware and OS Tuning. FreeBSD 5.x should work, but is not quite as fast as 4.10. For sites with very high traffic loads and capturing traffic on two interfaces, contact us for a FreeBSD 4.x kernel patch to do BPF bonding, which allows merging the two directions of anetwork link into a single interface as seen by Bro. While Bro can insteadmerge the two interfaces at user-level, this costs some performance. |
| Memory | 512 MB suffices for small networks (say 200 hosts connected via a100 Mbps link). For larger networks, 1 GB RAM will be required, with2-3 GB is recommended. |
| Hard disk | 10 GB minimum, 50 GB or more for log files recommended. |
| User privileges | superuser to install Bro, with Bro then running as user bro. |
| Network Interfaces | 3 interfaces are recommended: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical. For some network taps, both directions of the link are captured using the same interface, and the separate host management interface, while prudent, is not required. |
| Other Software | Perl ([3]) version 5.6 or higher for report generation, libpcap version 0.7.2 or higher ([4]). Note: Some version of FreeBSD come with older versions of libpcap. Bro recommends newer versions of these tools for performance reasons. |
