[Bro] Debugging and non-interactive install

Vern Paxson vern at icir.org
Fri Jun 20 10:47:19 PDT 2008


> 1.  I need a non-interactive install of Bro ...

I can't really comment on this as I'm not one of the Bro install gurus,
but perhaps someone who is will do so.

> 2.  I'm having some trouble debugging a simple policy file (I'd include it,
> but its on another network).  I basically want to redefine some of the
> clear-passwords methods to reduce log noise by checking if this is a
> password we already know about, and to ignore IRC JOINs with no password.

If you're able at some point to send it along, I can probably help out
directly.

> when I run:
> 
> bro -d -r test.pcap brolite local.clear-passwords
> or
> bro -d -r test.pcap local.clear-passwords
> 
> it never drops into the debugger (and if you Ctrl-C it dies).  But if I run

Unfortunately the debugger has not been maintained and isn't reliable at
this point :-(.  I'd definitely like to fix that, but to date it hasn't
been a high priority.  I'd like to hear from any others who also would
make use of it.  Offhand, I don't see any obvious problem with what you're
trying above.

> I'm at the stage where bro isn't giving me any errors about the policy but
> it is not producing any output, at all, for any policy.  Any hints?

Try "bro -t tracefile ..." to generate an execution trace.  When no output
gets produced, usually the problem is that no events are being generated
because the event engine isn't finding that you've defined the event
handlers it expects for turning on different forms of application analysis.
If the trace shows that the events are being generated, then annotating
your script with logging information will usually help zero in on the
problem quickly.

		Vern



More information about the Bro mailing list