[Bro] help required in logs with bro
anthony.kasza at gmail.com
Wed Nov 23 14:22:01 PST 2016
Broctl wraps the Bro binary and adds some niceties like config management,
worker management, log rotation, etc. The Bro binary is what processes
packets, interprets scripts, and writes logs.
If you run 'bro -Ci eth0' and browse a webserver over eth0, bro should spit
out logs in your current working directory. If not, Bro is either not
seeing packets or something else is wrong.
On Nov 23, 2016 3:01 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
> By bro binary you mean " bro -i eth0" command?
> I can see that when I give this command it's listening on eth0 interface.
> It initially gave me a warning saying due to NIC checksum it is receiving
> bad checksum packets so it will discard it.
> So I ran the above command with -C option.
> Is this what you were referring to?
> Could you please help me understand what's the difference between this
> command and broctl?
> Thanks and regards
> On Nov 23, 2016 4:54 PM, "anthony kasza" <anthony.kasza at gmail.com> wrote:
>> Your VM may be using its loopback address for the connection to the local
>> Apache server. If Bro is listening on eth0 (not the loopback interface) it
>> won't see that traffic.
>> As for the curl'ing of external sites, have you tried something basic
>> like tcpdump just to make sure packets are moving? I'd also try running the
>> Bro binary, without broctl, on an interface just to make sure Bro is
>> compiled, happy, and seeing packets move.
>> On Nov 23, 2016 1:33 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>>> I have downloaded bro and built it on a VM, using configure, make and
>>> make install.
>>> Then i ran broctl install and deploy.
>>> when i run broctl using "sudo broctl start" and subsequently issue "sudo
>>> broctl status", it shows bro running as standalone on localhost.
>>> my /nsm/bro/etc/nod.cfg file has
>>> type = standalone
>>> host = localhost
>>> interface = eth0
>>> Now when i try to connect to internet using my vm browser
>>> or i curl to localhost (which has apache server running and after making
>>> node.cfg file to hear on interface loopback) in either of the cases i
>>> cannot see any logs getting generated.
>>> *can someone please help me with this issue?*I dont think bro is
>>> sniffing on the correct interface , there is something trivial i am
>>> guessing which is going wrong. Please provide any pointers if possible.
>>> Bro mailing list
>>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro