[Bro] problems with geo scripts in phirelight repository

philosnef philosnef at yahoo.com
Wed Jul 27 12:39:02 PDT 2016


Justin,
I get a bit where it says init-bare.bro problem initializing NB-DNS, but other than that it properly reports the exact same information you have there (US, CA, Mountain View).
For some reason, it seems to work fine now. We just pushed a new version of geo from the phirelight repository and that seems to have fixed it.

 

    On Wednesday, July 27, 2016 3:15 PM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
 

 
> On Jul 27, 2016, at 3:08 PM, philosnef <philosnef at yahoo.com> wrote:
> 
> Yeah, no new columns at all. I am logging in json format, but they should still show up, right?

Ah, that complicates things because optional fields are not logged in json format.  unlike the TSV logs it doesn't need a fixed column layout, so fields can only show up when needed..

geoip is probably broken for you in general.

I'd try this experiment.  Some errors are ok since it tries some fallbacks, but you should get the result in the end:

$ cat test.bro
print lookup_location(8.8.8.8);
$ bro test.bro
Failed to open GeoIP Cityv6 database: /usr/local/var/GeoIP/GeoIPCityv6.dat
Failed to open GeoIPv6 Country database: /usr/local/var/GeoIP/GeoIPv6.dat
error in ./test.bro, line 1: Can't open GeoIPv6 City/Country database (lookup_location(8.8.8.8))
[country_code=US, region=CA, city=Mountain View, latitude=37.386002, longitude=-122.083801]

-- 
- Justin Azoff


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160727/c390dc57/attachment-0001.html 


More information about the Bro mailing list