Lou Ruppert lruppert at syr.edu
Tue Mar 3 13:03:05 PST 2009


We're in the process of upgrading our IDS infrastructure here, and I've
been trying for the last week or so to get the "release" version of bro
up and running.  It refuses and then it shames me.  First, I'll detail
what I've tried, and then I'll tell you where I'm stuck.

I downloaded the "release" version of 1.4, thinking it would be a breeze
to install like 1.3 was.

I attempted to compile and install it, only to find out that the part
that actually allows it to install and run (bro-lite) was not only
deprecated, but was helpfully disabled as shipped in order to prevent me
from blundering into an unsupportable situation.

I read a huge chunk of the mailing list archives and determined that in
order to use the "release" version of bro, I would have to install a
bleeding-edge clustering component, as a test of my mettle.

I followed the instructions at
http://blog.ncsa.uiuc.edu/aashish/2008/10/21/moving-to-bro-14/ and
compiled the clustering component, running it in standalone mode.

When I try running the clustering component, it complains that it
doesn't have the analysis-groups.bro component, which appears to be part
of some changes made to the policy files but only made available to some
inner cabal of bro developers.

Not to be thwarted, I used Google to try to find out about the file, and
found a hidden copy in the web interface of the SVN repository.  Naively
thinking this would solve my problem, I installed it
in /usr/local/bro/current/policy/local/ and was finally able to get bro
to start without instantly dying.

That brings me to right now, where I'm stuck.  Bro will run for a few
minutes, generating the usual mass of data before suddenly deciding to
segfault and die.  As best I can tell, it's dying in
DNS_Mgr::Process() .  I'm guessing that's not normal behavior, or
someone else would probably have emailed about it.  

Any ideas on how to get a working install of bro 1.4?

Thanks for your help, and for writing it in the first place,

(hoping for more to put on his 2008-2009 performance evaluation than
"heroically spent FY08-09 compiling bro over and over again.")

