[Bro] tcpdump -w

Angelita de Cássia Corrêa angelita at uol.com.br
Thu Jun 16 12:40:10 PDT 2005 

Now, I tested using this commands:

> /usr/local/bro/bin/bro -r /home/angelita/test.trace tcp.bro
line 1: warning: event handlers never invoked:
line 1: warning:         account_tried
Saving state...

> /usr/local/bro/bin/bro -r /home/angelita/test.trace scan.bro
Reading .state/state.bst ...
line 1: warning: event handlers never invoked:
line 1: warning:         account_tried
Saving state...

In the logs directory /usr/local/bro/logs, I have logs about my scan tests,
but if I run the site-report.pl and mail_reports.sh scripts, they don't show
the scans, for example.

What the best form to resolve this ? Now the report shows the IP ("attack
machine") , but doesn't show the scans ou incidents details.

Thanks


----- Original Message ----- 
From: "Christian Kreibich" <christian at whoop.org>
To: "Bro List" <bro at bro-ids.org>
Cc: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
Sent: Thursday, June 16, 2005 3:15 PM
Subject: Re: [Bro] tcpdump -w


On Thu, 2005-06-16 at 11:35 -0300, Angelita de Cássia Corrêa wrote:
> Thanks, I put the two lines in .bash_profile:
> export BROHOME=/usr/local/bro
> export BROPATH=/usr/local/bro/policy:/usr/local/bro/site
>
> Now, when I run this command to test:   /usr/local/bro/bin/bro -r
> /home/angelita/test.trace scan
>
> I received this message: /usr/local/bro/bin/bro: problem with trace file
> /home/angelita/test.trace - fread: Inappropriate ioctl for device

I believe that's a pcap error message passed to Bro, and I seem to
recall seeing that error message when the trace file you're passing is
empty. Could that be possible? In any case, you want that file to be a
pcap trace file, typically generated using tcpdump -w.

  http://mailman.icsi.berkeley.edu/pipermail/bro/2004-July/001545.html

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org



_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list