[Bro] broccoli tests

Mike Muratet mike.muratet at torchtechnologies.com
Mon Jun 6 15:08:16 PDT 2005 

----- Original Message ----- 
From: "Jason R. Lee" <JRLee at lbl.gov>
Cc: "Bro List" <bro at bro-ids.org>
Sent: Monday, June 06, 2005 4:12 PM
Subject: Re: [Bro] broccoli tests


>
>
> Mike,
>
> I usually just do this (my shell is bash):
> cd /usr/local/bro
> . etc/bro.cfg
> ./bro -i eth1 -i eth2 localhost.localdomain.bro
>
> The '. etc/bro.cfg' should set your $BROHOME and $BROPATH
> correctly to find all of the needed the files.
>
> The order the files load is that bro is invoked with a start
> file (in the above localhost.localdomain.bro). In that file (which is
> in $BROHOME/site)  there should be a couple  of lines like this at
> the top:
>
> ---------------- localhost.localdomain.bro ----------------------------
> @prefixes = local
> @load site      # file generated by the network script for dynamic config
>                    # of the local network subnets.
>
> # Make any changes to policy starting here
> ....
> -------------- end  --------------------------------------
>
> and the '@load site' will load the local.site.bro file from $BROHOME/site
> if your making changes, you should be making it to the 
> 'localhost.localdoamin.bro'
> file (which really should be the name of your box (i.e. 
> foo.example.com.bro).

I would cut the above out and paste it into the manual. I suspected it was 
supposed to work this way but it's not clear. Specifically, there's nothing 
in the manual that says how local files get called, and the bro_config 
script apparently doesn't write the necessary lines into 
localhost.localdomain.bro

The above procedure is failing with a 'can't open site' error. 
local.site.bro is in $BROPATH. But at least it's something that can be 
checked.

>
> If you don't have any network info in local.site.bro, bro will not be able 
> to
> tell which hosts are 'inside' the network, and which are 'outside' ;-)
>

Yes, and all other things being equal I think my problem lies in there 
somewhere.

>
> Having said all this. If you see that bro is listening to 47758, i'm 
> pretty sure
> that it has loaded the broccoli stuff.
>

Well, it did when I used broping.bro as my start policy. If I can figure out 
what's going on with bro and the file system such that it can't find 
local.site.bro, maybe I'll be on my way.

Cheers

Mike

More information about the Bro mailing list