Bro NSM Puppet Module

Puppet module to manage a Bro Network Security Monitor. (To learn more about Bro visit the organizations website:

###Description This module has been tested on Centos 6.5 and Ubuntu 12.04. It should work on any Redhat or Debian based system. Redhat systems can install from pre-built package. Debian systems will need to set pkg_source => 'none' or 'repo'. If pkg_source = 'none', then prebuild and install the package manually. If set to repo, puppet will assume bro is in a package repository (yum/apt). Using a private package repository server is recommended.

Bro 2.3 Compatible

If running with pfring you will need to compile custom packages.

###Standalone Bro - RedHat

  class { 'bro':
    int => 'eth2',

###Standalone Bro - Debian

  class { 'bro':
    pkg_source => 'none',
    int        => 'eth2',

###Basic Bro Cluster

  class { 'bro':
    manager => 'sensor01',
    proxy   => 'sensor01',
    network => ['',''],
    type    => 'cluster',
  bro::worker { 'eth1':
    host      => 'sensor01',
  bro::worker { 'eth2':
    host      => 'sensor01',

###Advanced - Bro Cluster : Pfring You must specify cpus or procs when method is in use. cpus ['1','4'] represents cpus 1,2,3,4 and will also place lb_procs value of 4.

  class { 'bro':
    manager => 'sensor01',
    proxy   => 'sensor01',
    network => ['',''],
    type    => 'cluster',
  bro::worker { 'eth1':
    host      => 'sensor01',
    method    => 'pf_ring',
    cpus      => ['1','4'],
  bro::worker { 'eth2':
    host      => 'sensor01',
    method    => 'pf_ring',
    procs     => '7',

###Advanced - Bro Cluster : Myrcom

class { 'bro':
  manager => 'sensor01',
  proxy   => 'sensor01',
  network => ['',''],
  type    => 'cluster',
bro::worker { 'eth1':
  host      => 'sensor01',
  method    => 'myricom',
  procs     => '12'


This bro module will first look for a local.bro.$hostname and if that file does not exist it will load the default local.bro.

Place any custom local.bro files in files/localbro

There is a default local.bro in files/localbro/local.bro "DO NOT EDIT THIS FILE."

To over-ride the default local.bro, modifiy the sitepolicy value.

  class { 'bro':
    sitepolicy => 'custom_local.bro',

Bro Scripts

Place all Bro scripts into /files/scripts

Puppet will sync everythig you stick in this directory.

It is recommened to put bro scripts in individual directories and use __load__.bro files.

directory = scripts/something
script = scripts/something/something.bro
loader = scripts/something/__load__.bro

Then in your custom.local.bro you can @load scripts/something

###Other Customizable Variables

class { 'bro':
  $ensure       = 'running' # Toggle Bro on or off
  $pf_cid       = 'UNSET' # Customize Pfring Cluster ID
  $broctl       = 'DEFAULT' # Set to 'CUSTOM' to create custom broctl.cfg, (bro/files/broctl/custom_broctl.cfg)
  $debug        = '0' # Toggle Debug on and off, 0 = Off and 1 = On
  $mailto       = 'root@localhost' # Change notice email
  $sitepolicy   = 'local.bro'# Change the default site policy file. This is useful when customizing bro.
  $mindisk      = '5' # Min disk threshold
  $logrotate    = '3600' # Rotate logs every 3600 seconds
  $logpurge     = 'disabled' # Change to a number like 30 to delete logs older thatn 30 days
  $basedir      = '/opt/bro' # Bro base install dir
  $logdir       = '/var/opt/bro' # Bro Log Dir
  $manager      = $::hostname # Manager host
  $int          = $::hostint  # Sniffing Interface 
  $worker       = $::hostname # Worker host
  $proxy        = $::hostname # Proxy host
  $pkg_ensure   = 'present' # Ensure bro package, only valid with pkg_source => '' or 'repo'
  $pkg          = 'bro' # Package title
  $pkg_source   = '' # Source of package installs from Only valid on RedHat based.
                  'repo' # This is default. This value assumes you have a custom repository with pre-built packages.
                  'none' # No package dependency. Asumes you built package from source or manual install
  $type         = 'standalone' # Standalone bro
                = 'cluster' # Running bro in a cluster
  $network      = $::hostint_ipv4_cidr # Accepts an array of cidr blocks
  $bro_pkg_name = $::osfamily ? {               # only valid for RedHat
    'RedHat' => 'Bro-2.3-Linux-x86_64.rpm',
    'Debian' => 'Bro-2.3-Linux-x86_64.deb',
  $bro_url = ''
Please log tickets and issues at our [Projects site](