[Bro] No packets for me
Randolph Reitz
rreitz at fnal.gov
Mon Mar 5 14:04:00 PST 2007
Hi,
Fermilab is making another run at BRO. A machine running Scientific
Linux Fermi LTS release 4.4 (Wilson) has been set up for BRO
testing. It has a span of the border traffic fed from a GigaVue to
eth2 (an Intel PRO/1000 MT Dual Port) on the Linux box. Installing
BRO 1.2.1 was no problem.
./configure reported...
Broccoli Configuration Summary
==========================================================
- Debugging enabled: no
- Pcap packet support: yes
- Semaphores used: POSIX
- Shared memory used: SYSV
Now run:
$ make
# make install
(or use gmake when make on your platform isn't GNU make)
Bro Configuration Summary
==========================================================
- Debugging enabled: no
- OpenSSL support: yes
- Non-blocking main loop: yes
- Non-blocking resolver: yes
- Installation prefix: /usr/local/bro
- Perl interpreter: /usr/bin/perl
- Using basic_string: yes
- Using libmagic: Yes
- Using libclamav: No
- Pcap used: system-provided
Make was uneventful. Install put everything in /usr/local/bro.
After starting BRO and letting it run for ~20 minutes, it reports
seeing 4 packets.
[root at rhyolite rreitz]# export BROPATH=/usr/local/bro/policy:/usr/
local/bro/policy/sigs
[root at rhyolite rreitz]# bro -i eth2 brolite
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
wm3018.inktomi.com
listening on eth2
1173131791.280848 received termination signal
4 packets received on interface eth2, 0 dropped
Humm, I expected more packets. Eth2 seems to be receiving packets
when bro is started...
[rreitz at rhyolite ~]$ while true;do /sbin/ifconfig eth2 | egrep bytes;
sleep 10; done
RX bytes:4142 (4.0 KiB) TX bytes:398 (398.0 b)
RX bytes:28062 (27.4 KiB) TX bytes:398 (398.0 b)
RX bytes:57132 (55.7 KiB) TX bytes:398 (398.0 b)
RX bytes:72298 (70.6 KiB) TX bytes:398 (398.0 b)
But after a while...
[rreitz at rhyolite bro]$ while true;do /sbin/ifconfig eth2 | egrep
bytes; sleep 10; done
RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b)
RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b)
RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b)
The interface seems stuck.
[rreitz at rhyolite bro]$ /sbin/ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:04:23:D1:E3:EB
inet6 addr: fe80::204:23ff:fed1:e3eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10442 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b)
Base address:0x1040 Memory:f40a0000-f40c0000
Here is some info on the OS...
[rreitz at rhyolite bro-1.2.1]$ rpm -qa | egrep pcap
libpcap-0.8.3-10.RHEL4
[rreitz at rhyolite bro-1.2.1]$ uname -a
Linux rhyolite.fnal.gov 2.6.9-42.0.10.ELsmp #1 SMP Tue Feb 27
08:38:56 CST 2007 i686 athlon i386 GNU/Linux
[rreitz at rhyolite bro-1.2.1]$ cat /etc/redhat-
redhat-lsb/ redhat-release
[rreitz at rhyolite bro-1.2.1]$ cat /etc/redhat-release
Scientific Linux Fermi LTS release 4.4 (Wilson)
[rreitz at rhyolite bro]$ bro -v
bro version 1.2.1
A search of this email list for 'linux' gets no hits. Hence I'm
asking for suggestions.
Thanks,
Randy Reitz
Computer Security Team
More information about the Bro
mailing list