[Bro] broccoli tests
Jason R. Lee
JRLee at lbl.gov
Mon Jun 6 14:12:14 PDT 2005
Mike,
I usually just do this (my shell is bash):
cd /usr/local/bro
. etc/bro.cfg
./bro -i eth1 -i eth2 localhost.localdomain.bro
The '. etc/bro.cfg' should set your $BROHOME and $BROPATH
correctly to find all of the needed the files.
The order the files load is that bro is invoked with a start
file (in the above localhost.localdomain.bro). In that file (which is
in $BROHOME/site) there should be a couple of lines like this at
the top:
---------------- localhost.localdomain.bro ----------------------------
@prefixes = local
@load site # file generated by the network script for dynamic config
# of the local network subnets.
# Make any changes to policy starting here
....
-------------- end --------------------------------------
and the '@load site' will load the local.site.bro file from $BROHOME/site
if your making changes, you should be making it to the
'localhost.localdoamin.bro'
file (which really should be the name of your box (i.e.
foo.example.com.bro).
If you don't have any network info in local.site.bro, bro will not be
able to
tell which hosts are 'inside' the network, and which are 'outside' ;-)
Having said all this. If you see that bro is listening to 47758, i'm
pretty sure
that it has loaded the broccoli stuff.
Cheers,
jason
Mike Muratet wrote:
>
> Hello Again
>
> Well, this is a lot like a scene in a Hitchcock movie where they do
> that thing with the lens that makes the hallway seem to get longer and
> longer.
>
> I have tried a few more things. It appears to me that my
> local.site.bro is not getting called. I can use broping.bro or
> broping-record.bro as my starting policy in bro.cfg and I can verify
> that bro is listening on 47758 with nmap. I can capture the
> transactions with tcpdump per Scott's recommendation and I can see
> that there are 7 messages from 127.0.0.1:34102 to 127.0.0.1:47758 with
> replies. I forget how to interpret the payloads, but I'll go back and
> read the manual. In any event, all the combinations of broping.bro,
> broping-record.bro and broping -r return "Could not connect to bro at
> 127.0.0.1:47758".
>
> So, I reconfigured bro with bro_config. It sets the start policy to
> localhost.localdomain.bro and I gave it an empty file. I'm not sure
> I'm entirely clear as to the purpose of this parameter, but that's
> OK--I don't think that's where the problem lies. With this
> configuration, the broping script is not getting called and it looks
> to me that local.site.bro is not getting called. I put print and log
> statements in it and I don't see anything on standard out or in the logs.
>
> So, does local.site.bro get called automatically or do I have to
> coerce it with a load statement? If I can make sure bro is configured
> properly then maybe the rest will fall into place. I notice that
> bro_config writes some network information into local.site.bro. What
> happens to bro if this information is not available?
>
> Thanks
>
> Mike
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list