[Bro] script working from cmd line but not from local.bro

Doug Burks doug.burks at gmail.com
Fri Jan 3 07:25:03 PST 2014


Hi Brian,

While troubleshooting the Bro scripts with Seth, take ELSA out of the
picture and just look at the raw Bro notice.log in
/nsm/bro/logs/current/.  Once you have the scripts working correctly,
then we can help you with any ELSA issues over on the Security Onion
mailing list.

On Fri, Jan 3, 2014 at 9:29 AM, Kellogg, Brian D (OLN)
<bkellogg at dresser-rand.com> wrote:
> susTx.bro is the simplified version of the script that works.
>
> trackOutTx.bro is the one that doesn't.
>
> Another thing I'm seeing is I cannot find these notices in Elsa once the notice.log has been rotated by SO.  I'm sure I'm just not understanding something as I'm quite new to SO, Bro, and Elsa.  Is there something else I have to do to ensure these notices show up in the Elsa archive?  Is there a delay of a several hours before they show up in Elsa?
>
>
> Thank you,
> Brian Kellogg
> Security Analyst; IT Governance, Risk, and Compliance
> 500 Paul Clark Drive, Olean,  NY 14760
> T: (716) 375-3186 | F: (716) 375-3557
>
> -----Original Message-----
> From: Seth Hall [mailto:seth at icir.org]
> Sent: Friday, January 03, 2014 9:08 AM
> To: Kellogg, Brian D (OLN)
> Cc: bro at bro.org
> Subject: Re: [Bro] script working from cmd line but not from local.bro
>
>
> On Jan 2, 2014, at 6:13 PM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com> wrote:
>
>> I have a script I've been writing for a couple weeks that looks at every connection's total bytes.  If the total bytes when the connection is removed from memory is over X bytes then raise a Bro notice.  I have a global variable structure defined to keep track of internal hosts that have uploaded more than X bytes in a connection.
>
> Please post the script so we can review it.
>
> Thanks,
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Doug Burks




More information about the Bro mailing list