[Bro] Empty reports

Mon Oct 4 11:03:51 PDT 2004

I have bro version 0.9a6 running.  I see impressive sizes for files in  
/usr/local/bro/logs.
For example...
[rreitz at gumshoe rreitz]$ ls -l /usr/local/bro/logs/*04-10-03*
-rw-r--r--  1 bro  wheel      88835 Oct  4 00:00  
/usr/local/bro/logs/alarm.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel  787345802 Oct  4 00:00  
/usr/local/bro/logs/conn.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel    3337706 Oct  4 00:00  
/usr/local/bro/logs/ftp.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel    4008666 Oct  4 00:00  
/usr/local/bro/logs/http.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel      28576 Oct  4 00:00  
/usr/local/bro/logs/info.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel     139345 Oct  4 00:00  
/usr/local/bro/logs/notice.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel        236 Oct  4 00:00  
/usr/local/bro/logs/signatures.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel   14411249 Oct  4 00:00  
/usr/local/bro/logs/smtp.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel        531 Oct  4 00:00  
/usr/local/bro/logs/software.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel   59967793 Oct  4 00:00  
/usr/local/bro/logs/weird.gumshoe.04-10-03_00.00.00
-rw-r--r--  1 bro  wheel          0 Oct  3 00:00  
/usr/local/bro/logs/worm.gumshoe.04-10-03_00.00.00

but the reports generated for 10/3 are empty.
[rreitz at gumshoe rreitz]$ ls -lt /usr/local/bro/reports/local/
total 26
-rw-r--r--  1 root  wheel  1499 Oct  3 00:43 FNAL.1096781400.60653.rpt
-rw-r--r--  1 root  wheel  1499 Oct  2 00:42 FNAL.1096695000.56628.rpt
-rw-r--r--  1 root  wheel  1499 Oct  1 00:40 FNAL.1096608601.53259.rpt
...

The report size of 1499 contains header/footer formatting only.  For  
example...

Site Report for FNAL, from 2004/10/02 00:30:00 to 2004/10/03 00:30:00
generated on Sun Oct  3 00:43:37 2004
======================================================================== 
==
Summary
======================================================================== 
==
   Incidents
     Likely Successful
     Unknown
     Likely Unsuccessful

   Scanning Hosts
     Successful            0
     Unsuccessful          0

======================================================================== 
==
Incident Details
======================================================================== 
==
      No data to report
======================================================================== 
==
Scans
======================================================================== 
==
      No data to report

======================================================================== 
==
....

I need a clue where to look.  Can /usr/local/bro/scrits/site-report.pl  
be run stand alone?

Here is one configuration file I touched...
[rreitz at gumshoe rreitz]$ cat /usr/local/bro/site/intern.bro
# This file should describe your network configuration.
# If your local network is a class C, and its network
# address was 192.168.1.0 and a class B network
# with address space 10.1.0.0.
# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into
# this file, telling bro what your local networks are.

@load site

redef local_nets: set[subnet] = {
     131.225.0.0/16
};

Thanks,
Randy Reitz
Computer Security Team