[Bro] Debugging and non-interactive install
greglindon at gmail.com
Fri Jun 20 11:12:31 PDT 2008
Thanks guys, that helps. Robin I'll take a look at the cluster, looks like
you have a standalone config in there, so that will have to do for the time
being - won't be getting any new boxes in the immediate future to make a
> Try "bro -t tracefile ..." to generate an execution trace. When no output
> gets produced, usually the problem is that no events are being generated
> because the event engine isn't finding that you've defined the event
> handlers it expects for turning on different forms of application analysis.
> If the trace shows that the events are being generated, then annotating
> your script with logging information will usually help zero in on the
> problem quickly.
Fair enough, I'll give that a try. I liked the idea of the debugger because
you could run through a fairly large pcap and fix most of the problems in
one go rather than many repeated analysis runs. This way I'll have to carve
out a much smaller pcap that has the traffic to generate the needed events.
If I can't get any further along like this I'll move the config over and
send it to the list.
Thanks for the quick replies!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro