[Bro] Bro not producing a notice.log

Jeff Geiger jeff.geiger at gmail.com
Thu Apr 7 19:04:04 PDT 2016

I don't know if anything has changed in the last few years, but I know it
used to be the case that you could not put an AWS interface into
promiscuous mode.  To get around this, you had to use a tool like
daemonlogger to dump packets from the external interface to a tap, tun, or
bridge interface and monitor that.  For larger scale implementations, you
can use openvpn internally to route all the traffic back to your sensor.  I
set up a PoC doing similar with Snort a few years back. (
https://github.com/jeffgeiger/CloudSnort)  Hopefully that helps, if this is
still the case.


Jeff Geiger

On Thu, Apr 7, 2016 at 6:04 PM, Mike Dopheide <dopheide at gmail.com> wrote:

> I want to say that's likely because AWS disables promiscuous mode so
> getting Bro to work requires some additional tricks.   Can anyone verify?
> On Thursday, April 7, 2016, Paweł Piszczatowski <pawelec93 at googlemail.com>
> wrote:
>> I have a Bro cluster setup in the AWS cloud, currently just with one
>> node. My problem is that Bro is not producing the notice.log, it should
>> just log successful SSH logins but it doesn't. I have tried SSH and FTP
>> bruteforcing the worker node and exceeding the limit of failed connections,
>> again no notice.log. I can see the detect-bruteforcing.bro scripts loaded
>> in the loaded_scripts.log. I am pretty new to Bro, so I am not sure what I
>> am doing wrong.
>> Regards,
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160407/817f4f15/attachment.html 

More information about the Bro mailing list