Hi Guys,<br><div class="gmail_quote"><br>I've been playing with Bro (1.3.2 dev release) on and off for a few weeks now. I like the idea of the product, the code looks good, and the scripting language quite powerful. Having said that I'm having a few problems.<br>
<br>1. I need a non-interactive install of Bro. I want to roll it out to a number of red-hat-based sensors, so the usual process that requires human interaction is not feasible/maintainable. My usual approach with other software on the sensors is to create an rpm with a default install and then check the box/network specific configuration out of svn over the top of the defaults.<br>
<br>The two-stage install (make install, make install-brolite) makes this a bit complicated. I tried separating out the parts of the install that need to be run on the target system and putting them in the rpm post install (creating bro user, checking kernel params). This involved chopping parts out of the makefile, running the perl scripts in the post, and disabling the prompts by accepting defaults in brolite. Unfortunately I never got all this to work properly. <br>
<br>I'm hoping that someone who understands the installation process better than me can either create an rpm or a install-non-interactive Makefile target that drops a default install on the box :) Happy to accept any other suggestions too.<br>
<br>2. I'm having some trouble debugging a simple policy file (I'd include it, but its on another network). I basically want to redefine some of the clear-passwords methods to reduce log noise by checking if this is a password we already know about, and to ignore IRC JOINs with no password.<br>
<br>when I run:<br><br>bro -d -r test.pcap brolite local.clear-passwords<br>or<br>bro -d -r test.pcap local.clear-passwords<br><br>it never drops into the debugger (and if you Ctrl-C it dies). But if I run<br><br>bro -d -r test.pcap brolite<br>
<br>it drops into the debugger fine. Help? My clear-passwords has the same load statements as the distributed version. Do I need something special to cause the debugger to break?<br><br>I'm at the stage where bro isn't giving me any errors about the policy but it is not producing any output, at all, for any policy. Any hints?<br>
<br>Thanks,<br><font color="#888888">Greg<br>
</font></div><br>