[Bro] New Bro User

Jesse Bortercollet jhnovak at gmail.com
Mon May 12 06:47:19 PDT 2008


  I'm trying to become familiar with Bro and have installed the stable
release 1.2.1 on an Ubuntu VMware image running a 2.6 kernel.

  I have been following the documentation and wanted to see if I have
everything installed properly by first reading a pcap to generate an alarm.
I was looking at the reference manual, specifically Chapter 2: Getting
Started Traffic traces.  I wanted to emulate the:

   bro -r example.ftp-attack.trace brolite

where I was supposed to see a connection summary in stdout and some kind of
alarm.  I didn't find that particular pcap with the installation as the
documentation says, but used a pcap from an earlier bro package -
ftp-site-exec.trace.  I ran the bro above command using this pcap, but I
don't see any output at all.   I'm familiar with Snort so I've used an IDS
before.  I just can't figure out what I might be doing wrong.  Can someone
please help?

Thanks a lot - Jesse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080512/4625d435/attachment.html 

More information about the Bro mailing list