No Subject

Christian Kreibich christian at whoop.org
Tue Jul 20 12:02:31 PDT 2004 

Hi Deb,

I'm not quite sure I understand some of the details below so I'll just
point things out that sound odd ...

On Tue, 2004-07-20 at 10:10, Debra Dvorak wrote:
> Hello,
> 
> I am attempting to install and study bro as a grad project. I have RH 9
> installed and all updates done. I have not hardened the system yet
> because I don't want to disable something that will interfere with the
> IDS. 
> 
> I have the following installed (in installation order):
> perl-Tk-804.027-8.rh9, zlib-1.2.1, libpcap-0.8.3, tcpdump-3.8.3,
> mysql-4.0.15a, httpd-2.0.50, php-4.3.3. 
> 
> I downloaded bro (bro-pub-0.8a87) to /root/bro directory and untarred.
> I've tried installation with:  ./configure --with-PACKAGE=linux-include,

I think you can leave out the --with-PACKAGE stuff? "PACKAGE" is meant
to be replaced with the name of an optional package, like openssl or
mpatrol. I think the statement has no effect though.

> make, make install. I am getting an error at the make install as
> follows:
> bro /usr/local/sbin
> make: bro : Command not found
> make: ***  [install] Error 127

Just run "make install", not "make install bro" :)

> I've tried a couple of things:
> 
> ./bro -r example-attacks/ntp-attack.trace mt    this command gives some
> expected errors about scan.bro variables, etc...but also gives the log
> of the session. Using cat weird.log gives the following:
> 986505326.451411 128.3.9.239 > 128.3.9.62/ntp: truncated ntp.

So that means you can basically run Bro reading trace files. Cool.

> using ./bro -i eth0 -w testinglog.trace mt yields the same expected
> errors and then "listening on eth0" but when I end (ctl C). I get "0
> packets recieved on interface eth0, 0 dropped" with the nic operating
> both with an ip address and in "stealth mode". I am running nessus
> against the network and ethereal on the network to detect the traffic so
> there should be some traffic picked up on the interface (or I would
> expect it to be).

There are two points to consider here: 1) does ethereal show you any
traffic, and 2) do the analyzers you load into Bro care about this
traffic. Loading the mt policy script would suggest so ...

> cat testlog.trace gives either nothing or the
> following error: 
> ./bro: problem with trace file testlog.trace -fread; inappropriate ioctl
> for device.

This again is about running Bro reading a trace file, right?

It seems you currently get this message when you try to read from an
empty trace file (a zero length file, not an empty tcpdump trace file,
which still contains some data). We'll look into it -- in the meantime
try to read from a trace file that contains a few packets :)

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

More information about the Bro mailing list