In September, I gave a talk about running Bro NSM on BSD operating systems. The talk was well received and stirred interest in the BSD operating systems and their use for network security monitoring. The slides (and at the some point the video) for my talk are posted here:
One of the interesting things I learned at this conference, was the important role that FreeBSD plays in regards to Bro. FreeBSD and Linux are treated as the tier 1 operating systems for which Bro must work on before a software update is released. After my talk was given, the updated netmap code was merged into the FreeBSD 12-CURRENT tree to add better support for packet I/O on FreeBSD which Bro can be configured to use. For those interested in running Bro, Bro 2.5 is now available for download from here:
The port/pkg updates should be available soon for FreeBSD. I will be working to get 2.5 into OpenBSD 6.1, as the Bro port was updated to 2.4.1 in September.
Not as much BSD related, but SuriCon 2016 was held in Washington, DC and was a great conference discussing the open source IDS/IPS engine Suricata. Users of Suricata on FreeBSD can compile in support for netmap, to provide fast packet I/O for use with IDS. There are configurations with netmap-fwd that can be used with ipfw to provide fast IPS capabilities that I am looking to further test. I gave a lighting talk on pulledpork, the signature update script that works with Snort and Suricata. A lot of people have forked pulledpork to suit their own needs and there seems to be some common themes that could be incorporated into pulledpork to provide value for everyone. I fully recommend these conferences to anyone interested in network security monitoring and open source security tools as I really enjoyed the content.
Author: Michael Shirk
bhyve is a type-2 hypervisor that is installed by default in FreeBSD 10+. One of its greatest features is how simple the interface is to create and run virtual machines on FreeBSD. Since bhyve first appeared in FreeBSD 10, the operating systems support has expanded beyond FreeBSD and OpenBSD to include most Linux distributions and Microsoft Windows. In FreeBSD 11, bhyve will feature graphical support (UEFI-GOP) allowing for graphical UEFI installations. There are several tools that have been created to make the managing of bhyve VMs as easy as the managing of FreeBSD jails.
iohyve - bhyve management with ZFS support
vmrc - VM rc script for managing bhyve VMs
In addition to these management tools, the FreeBSD Handbook provides details for a script that is provided with the base OS which makes it easy to use bhyve VMs. The script is called vmrun.sh, and is provided at the following location:
/usr/share/examples/bhyve/vmrun.sh Before using this script, there are some necessary steps to setup networking and storage for use with bhyve VMs. These steps are fully documented in the FreeBSD Handbook, but here are the necessary commands to load the vmm kernel module, and setup networking to allow for the tap interface to be used by bhyve VMs:
# kldload vmmIn this example, re0 is the interface of the host, which is added to bridge0 with a tap0 interface added for the bhyve VM. If you would like this to be a persistent configuration, take a look at the FreeBSD Handbook for the specific configurations you will need. Once you have the tap0 interface available, you will need to create a virtual disk to be used by the VM. The FreeBSD Handbook details the way to create a disk image file (.img) for the virtual disk. For this howto, a ZFS Volume (zvol) will be used. Run the following commands to create a zvol (ensure you have enough disk space to perform these operations):
# ifconfig tap0 create
# sysctl net.link.tap.up_on_open=1
net.link.tap.up_on_open: 0 -> 1
# ifconfig bridge0 create
# ifconfig bridge0 addm re0 addm tap0
# ifconfig bridge0 up
# zfs create -V20G -o volmode=dev zroot/freebsdvm0If you are using UFS as your filesystem, and would like to test out ZFS, you can format a USB key with ZFS and use it to test out using bhyve VMs. Once you have the zvol created, you will need an install image to use the vmrun.sh script to install a bhyve VM. For this tutorial, FreeBSD-11-BETA1 will be used as the OS for the VM. Run the following command to download the FreeBSD-11-BETA1 install iso:
(zroot in this case is the zpool I am using)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/11.0/FreeBSD-11.0-BETA1-amd64-disc1.iso With the installation iso, we can now run vmrun.sh with some parameters to startup the bhyve VM and to install an operating system.
# sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 2048M -t tap0 -d /dev/zvol/zroot/freebsdvm0 -i -I FreeBSD-11.0-BETA1-amd64-disc1.iso freebsdvm This command will startup the VM with the console output showing in the same terminal. If using a terminal multiplexer like tmux, you can open a new tab and run this command so that you still have shell access. The -c option is used to set the number of CPUs the VM will have assigned to it, -m sets the amount of memory to be assigned to the VM, and the -t option sets the virtio-net tap interface to use with the VM. The -i option forces vmrun.sh to boot from an installation CDROM, where -I sets the location of the iso file.
Once the VM is started, everything from this point forward is the same as a standard FreeBSD installation. The only caveat is that you will want to shutdown the VM so you can remove the iso file from the command line to startup the VM. Once the OS is installed, you can start your bhyve VM with the following command:
# sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 2048M -t tap0 -d /dev/zvol/zroot/freebsdvm0 freebsdvmThis setup provides a simple method to manage multiple VMs from a terminal using the vmrun.sh script, and tmux. For additional information on features that are currently supported or planned for bhyve, or additional configuration options, refer to the following FreeBSD links: