[Bro] broccoli tests

Mike Muratet mike.muratet at torchtechnologies.com
Mon Jun 6 11:02:30 PDT 2005 

----- Original Message ----- 
From: "Christian Kreibich" <christian at whoop.org>
To: "Bro List" <bro at bro-ids.org>
Sent: Friday, June 03, 2005 5:26 PM
Subject: Re: [Bro] broccoli tests


> On Fri, 2005-06-03 at 14:32 -0700, Christian Kreibich wrote:
>> Hi Mike,
>>
>> I just noticed there may be issues with connections that *don't* require
>> synchronized access because all my latest experiments required this
>> feature.
>
> I've just fixed these problems in CVS and bundled up a snapshot tarball:
>
> http://www.cl.cam.ac.uk/~cpk25/broccoli/snapshots/broccoli-0.8.060305.tar.gz
>
> Please use this one until 0.8 is out. I've verified that broping really
> should work out of the box with this tarball and Bro 0.9a9. Just run bro
> directly with broping.bro, and don't pass any arguments to broping.
> Output from the two shells:
>
> $ ./bro ~/devel/Broccoli/test/broping.bro
> 1117837283.819435 warning: event handlers never invoked:
> 1117837283.819435 warning:       ping
>
> $ broping
> pong event from 127.0.0.1: seq=0, time=0.010662/1.010452 s
> pong event from 127.0.0.1: seq=1, time=0.008867/1.008964 s
> pong event from 127.0.0.1: seq=2, time=0.038239/1.009833 s
> pong event from 127.0.0.1: seq=3, time=0.009923/1.009428 s
> pong event from 127.0.0.1: seq=4, time=0.038738/1.009980 s
>
> Let me know if it still doesn't work for you.
>

I'm still having trouble. Here's where I've looked for a solution:

I stopped bro and used nmap to scan 47757 and 47758 and they are both 
closed. I then restarted bro with load @broping as the last line in my 
local.site.bro and repeated the scan with the result that 47757 is now open. 
The latest iana.org list shows these ports are in an 'unassigned' range. I 
am starting bro logged in a root and the bro.cfg file defines root as the 
user.

The comm.log file says that bro is listening on 127.0.0.1:47757. It also 
complains on the line above this that "can't bind to port: address in use". 
I have no clue what this means, since the port scan shows those ports closed 
when bro is stopped.

I looked at broping.bro, which loads listen-clear.bro which loads 
remote.bro. remote.bro defines 'default_port_clear=47757.tcp'. 
listen-clear.bro uses this value to initialize listen_port_clear. 
broping.bro checks to see if listen_port_clear is defined and if so 
redefines it to 47758. If this were successful, would not the port scan show 
47758 as open? Running broping -d -d I see in the output that the connection 
was refused to 127.0.0.1:47758.

Any suggestions how to troubleshoot the port?

Thanks

Mike

More information about the Bro mailing list