[Bro] how to add new event to Bro

bchen at cs.ucf.edu bchen at cs.ucf.edu
Wed Apr 6 18:17:05 PDT 2005 

Thanks. that helps.

Bing


Quoting Joncarlo Ruggieri <joncarlo at ucdavis.edu>:

> Hi,
>
> I'm running Bro on Red Hat Enteprise Linux 4.
>
> I too had the error below regarding a bogus '-'
>
> The culprit was bro.rc.
>
> In this subroutine:
>
>   pidisrunning() {
>
>           else
>                   # the rest of *NIX
>                   _running_pid=`ps -o "pid,command" -ax | grep
>   "${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"`
>           fi
>
>
> remove the "-" from "-ax" for the "ps" command.  The revised line would
> be:
>
>                   _running_pid=`ps -o "pid,command" ax | grep
>
>
>
>
> Hope that helps!
>
> Joncarlo Ruggieri
> University of CA, Davis
>
>
>
> On Wed, 6 Apr 2005 bchen at cs.ucf.edu wrote:
>
>> Hi all,
>>    I am new in Bro. I want to add new events to Bro. These events 
>> would occur
>> when some statistical parameters cross multiple sessions to an internal
>> host/network exceed their thresholds. An example event would be that 
>> the number
>> of connections made from external hosts to an monitored internal 
>> host exceeds
>> 100 in last two seconds. Another example event would be that the number of
>> Rejected connection requests to my internal network exceeds 200 in last two
>> minutes. Any one knows how to create such events?
>>    Another problem I met when I tried to run Bro (./bro.rc --start) 
>> in Fedora 3.
>> Success message was displayed on the screen. But when I check the 
>> status, it is
>> not running. After I tried to run Bro again, the following error message
>> appears:
>> =============================================================================
>> [root at localhost etc]# ./bro.rc --start
>> bro.rc: Running as non-root user root
>> bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See
>> /usr/share/doc/procps-3.2.3/FAQ
>> bro.rc: Failed to start Bro
>> Error in signature (signatures:1803): unknown identifier (dataSizeG100)
>> Error in signature (signatures:1815): unknown identifier (dataSizeG100)
>> Error in signature (signatures:1838): unknown identifier (dataSizeG100)
>> Error in signature (signatures:1850): unknown identifier (dataSizeG100)
>> ...................
>> .... FAILED
>> =============================================================================
>>
>> I then comment out the following statements in my locat site, Bro works
>> properly.
>>
>> redef signature_files += "sig-addendum";
>> redef signature_files += "signatures";
>>
>> Does anyone know what's this problem?
>>
>> thanks for your time
>>
>> Bing
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>

More information about the Bro mailing list