[Bro] how to add new event to Bro

Joncarlo Ruggieri joncarlo at ucdavis.edu
Wed Apr 6 14:37:17 PDT 2005 

Hi,

I'm running Bro on Red Hat Enteprise Linux 4.

I too had the error below regarding a bogus '-'

The culprit was bro.rc.

In this subroutine:

   pidisrunning() {

           else
                   # the rest of *NIX
                   _running_pid=`ps -o "pid,command" -ax | grep
   "${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"`
           fi


remove the "-" from "-ax" for the "ps" command.  The revised line would
be:

                   _running_pid=`ps -o "pid,command" ax | grep




Hope that helps!

Joncarlo Ruggieri
University of CA, Davis



On Wed, 6 Apr 2005 bchen at cs.ucf.edu wrote:

> Hi all,
>    I am new in Bro. I want to add new events to Bro. These events would occur
> when some statistical parameters cross multiple sessions to an internal
> host/network exceed their thresholds. An example event would be that the number
> of connections made from external hosts to an monitored internal host exceeds
> 100 in last two seconds. Another example event would be that the number of
> Rejected connection requests to my internal network exceeds 200 in last two
> minutes. Any one knows how to create such events?
>    Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3.
> Success message was displayed on the screen. But when I check the status, it is
> not running. After I tried to run Bro again, the following error message
> appears:
> =============================================================================
> [root at localhost etc]# ./bro.rc --start
> bro.rc: Running as non-root user root
> bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See
> /usr/share/doc/procps-3.2.3/FAQ
> bro.rc: Failed to start Bro
> Error in signature (signatures:1803): unknown identifier (dataSizeG100)
> Error in signature (signatures:1815): unknown identifier (dataSizeG100)
> Error in signature (signatures:1838): unknown identifier (dataSizeG100)
> Error in signature (signatures:1850): unknown identifier (dataSizeG100)
> ...................
> .... FAILED
> =============================================================================
>
> I then comment out the following statements in my locat site, Bro works
> properly.
>
> redef signature_files += "sig-addendum";
> redef signature_files += "signatures";
>
> Does anyone know what's this problem?
>
> thanks for your time
>
> Bing
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list