[Bro] What am I doing wrong here?

David Caldwell dcaldwell at colsa.com
Wed Nov 29 11:34:58 PST 2006

That is something I did not know till I got the responses from you  
guys. I re-ran brolite, and used the default user [root] for the user  
to run under. Now bro has started up and is doing something that  
resembles its job at this point. The startup was successful, and we  
shall see what kiind of stuff it collects sitting in the internal  
office network fro the next couple of hours.

Now with the next question.

Since the service runs as root, and the eth1 interface that it is  
running on is going to be exposed to the outside world, what do I  
need to do to my firewall config on this box to protect it from attack?
What are your suggestions? I can run some pretty simple firewall  
rules to simply deny all on the interface, and allow only internal  
requests, but will this hinder bro from being able to do its job?


On Nov 29, 2006, at 12:59 PM, Jason Lee wrote:

> I think on Linux you have to run bro as root otherwise it can't
> open the Ethernet device in promiscuous mode.
> Cheers,
> jason
> David Caldwell wrote:
>> Okay, I now have bro installed. Things appear to be in the right
>> place. I must have missed something in the docs to get this working,
>> and I am sure that it does not help that I am not exactly familiar
>> with Debian. bear with me here as I stumble my way through a new OS
>> and Bro. I expect I am going to ask alot of stupid questions, but I
>> am documenting everything so that it may be used later to update or
>> possibly improve the documentation or help someone else who is in the
>> same boat I am.
>> Here is what I get when I try to start Bro from the command line:
>> jyd:/etc/rc3.d# /etc/init.d/bro.rc start
>> bro.rc: Running as non-root user bro
>> No directory, logging in with HOME=/
>> bro.rc: Starting ..........bro.rc: Failed to start Bro
>> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
>> socket: Operation not permitted
>> .. FAILED
>> here are the outputs in the logs files in /usr/local/bro/logs:
>> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
>> socket: Operation not permitted
>> Am I missing a permission issue here or what? Do I need to make some
>> changes in a config file that I missed?
>> TIA
>> David Caldwell
>> Colsa-HMT
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list