[Bro] What am I doing wrong here?

Philippe Strauss philou at philou.ch
Wed Nov 29 10:38:05 PST 2006


On Wed, Nov 29, 2006 at 11:12:12AM -0600, David Caldwell wrote:
> Okay, I now have bro installed. Things appear to be in the right  
> place. I must have missed something in the docs to get this working,  
> and I am sure that it does not help that I am not exactly familiar  
> with Debian. bear with me here as I stumble my way through a new OS  
> and Bro. I expect I am going to ask alot of stupid questions, but I  
> am documenting everything so that it may be used later to update or  
> possibly improve the documentation or help someone else who is in the  
> same boat I am.
> 
> Here is what I get when I try to start Bro from the command line:
> 
> jyd:/etc/rc3.d# /etc/init.d/bro.rc start
> bro.rc: Running as non-root user bro
> No directory, logging in with HOME=/
> bro.rc: Starting ..........bro.rc: Failed to start Bro
> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:  
> socket: Operation not permitted
> .. FAILED
> 
> here are the outputs in the logs files in /usr/local/bro/logs:
> 
> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:  
> socket: Operation not permitted
> 
> Am I missing a permission issue here or what? Do I need to make some  
> changes in a config file that I missed?


Yeap, on Linux systems you have to be root to
open interfaces in promisc mode.

edit etc/bro.cfg like the following:

# User id to install and run Bro under
BRO_USER_ID="root"

regards.


-- 
Philippe Strauss
av. de Beaulieu 25
1004 Lausanne
http://philou.ch



More information about the Bro mailing list