[Bro] Problem with Broccoli connection

Daniel Wyschogrod dwyschogrod at bbn.com
Mon Dec 3 08:28:30 PST 2012


I think I've tracked down the problem, but it leads to another mystery.  In my local.bro file, as I've pointed out, I have inserted the line:

redef Communication::listen_port = 12345/tcp;

In the barnyard2.conf file, I've added:

output alert_bro:

I'm expecting, of course, a connection on port 12345.  However, when I did a "netstat -l", I discovered that the bro process was listening on port 47760! The output from netstat -l was:

tcp        0      0 *               LISTEN      6326/bro 

When I changed the barnyard2.conf to:

output alert_bro:

the connection took place as expected.  In addition, py-broccoli makes the connection as well when i use:

On further investigation, I found that a bro file was generated in spool/installed-scripts-do-not-touch/auto called standalone-layout.bro.  Its content is:

# Automatically generated. Do not edit.
redef Communication::listen_port = 47760/tcp;
redef Communication::nodes += {
        ["control"] = [$host=, $zone_id="", $class="control", $events=Control::controller_events],

The 47760 port is the same in the standalone-layout.bro no matter what I set the listen_port to in local.bro.  Where does the 47760 port come from and what can I do to use a different port?

Thanks again,

Dan Wyschogrod

Senior Scientist
Cyber Security
Raytheon/BBN Technologies

dwyschogrod at bbn.com

On Dec 3, 2012, at 8:53 AM, Seth Hall <seth at icir.org> wrote:

> On Dec 3, 2012, at 12:04 AM, Seth Hall <seth at icir.org> wrote:
>> On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod at bbn.com> wrote:
>>> 	["local"] = [$host=, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
>>> 	};
>> You need two commas in that event name. 
> Arg!  Two colons. :)  You could even just use /Barnyard2::.*/
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2593 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/9fd080a9/attachment.bin 

More information about the Bro mailing list