[Bro] problems with geo scripts in phirelight repository
Azoff, Justin S
jazoff at illinois.edu
Wed Jul 27 11:56:11 PDT 2016
> On Jul 27, 2016, at 2:24 PM, philosnef <philosnef at yahoo.com> wrote:
> I am trying to get the geo scripts in the phirelight git repository to work. The readme says the scripts have to be explicitly enabled.
> I have:
> @load ./set-country.bro
> enabled in my geo/__load__.bro. However, my conn.log is not showing any country information. There are no errors and bro deploys cleanly. Why exactly is the country information not being inserted into the conn.log? I load geo/conn as well, which includes the 4 add-X-conn.bro scripts. This SHOULD put in the country, but is not doing so. What am I missing. The loadled_scripts.log says the add-X-conn.bro scripts are loaded.
These scripts https://github.com/phirelight/bro-scripts/tree/master/geo ?
"Scripts to set geoip/asn info for conn. Note, these will not be logged as is. There are addional scripts to log the variables for each log type."
You need to load the scripts under conn,dns,files, or ssl if you want the fields to be logged. By default they are just making the fields available.
In your case what you are missing is loading geo/conn/add-country-conn.bro
- Justin Azoff
More information about the Bro