[Bro] What am I doing wrong here?

Jean-Philippe Luiggi jp.luiggi at free.fr
Wed Nov 29 12:53:04 PST 2006 

Hello,

As far i know but i may have missed something :) , Bro doesn't listen on a
specific network port and you can't ask to deliver a service as you would do for an Apache server.

So just protect your firewall as usual.

Best regards.

On Wed, Nov 29, 2006 at 01:34:58PM -0600, David Caldwell wrote:
> That is something I did not know till I got the responses from you  
> guys. I re-ran brolite, and used the default user [root] for the user  
> to run under. Now bro has started up and is doing something that  
> resembles its job at this point. The startup was successful, and we  
> shall see what kiind of stuff it collects sitting in the internal  
> office network fro the next couple of hours.
> 
> Now with the next question.
> 
> Since the service runs as root, and the eth1 interface that it is  
> running on is going to be exposed to the outside world, what do I  
> need to do to my firewall config on this box to protect it from attack?
> What are your suggestions? I can run some pretty simple firewall  
> rules to simply deny all on the interface, and allow only internal  
> requests, but will this hinder bro from being able to do its job?
> 
> David
> 
> 
> On Nov 29, 2006, at 12:59 PM, Jason Lee wrote:
> 
> >
> > I think on Linux you have to run bro as root otherwise it can't
> > open the Ethernet device in promiscuous mode.
> >
> > Cheers,
> > jason
> >
> >
> >
> > David Caldwell wrote:
> >> Okay, I now have bro installed. Things appear to be in the right
> >> place. I must have missed something in the docs to get this working,
> >> and I am sure that it does not help that I am not exactly familiar
> >> with Debian. bear with me here as I stumble my way through a new OS
> >> and Bro. I expect I am going to ask alot of stupid questions, but I
> >> am documenting everything so that it may be used later to update or
> >> possibly improve the documentation or help someone else who is in the
> >> same boat I am.
> >>
> >> Here is what I get when I try to start Bro from the command line:
> >>
> >> jyd:/etc/rc3.d# /etc/init.d/bro.rc start
> >> bro.rc: Running as non-root user bro
> >> No directory, logging in with HOME=/
> >> bro.rc: Starting ..........bro.rc: Failed to start Bro
> >> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
> >> socket: Operation not permitted
> >> .. FAILED
> >>
> >> here are the outputs in the logs files in /usr/local/bro/logs:
> >>
> >> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
> >> socket: Operation not permitted
> >>
> >> Am I missing a permission issue here or what? Do I need to make some
> >> changes in a config file that I missed?
> >>
> >> TIA
> >>
> >> David Caldwell
> >> Colsa-HMT
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list