[Bro] Several questions

Paul Schmehl pauls at utdallas.edu
Thu Jul 12 13:37:15 PDT 2007


I'm working on an upgrade to the bro port in FreeBSD (from 0.9a4a to 
1.1d-stable.)  I've never used bro, but I maintain a number of ports.  I've 
found that bro is quite a complex port.  I've had to address a number of 
issues where bro does things in a "non-standard" (for FreeBSD) way, but 
I've finally got the port installing correctly and in the "right" (for 
FreeBSD) locations.

Now I'm testing running bro, and I've run into some problems that I don't 
know the answer to.

1) When I try to run bro.rc start, I get a permission denied error.

bro.rc: Starting ..........bro.rc: Failed to start Bro
/var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission denied
... FAILED

I tried changing the user from bro to root, but I still get the error.  All 
the directories and files have the "standard" permissions (xwrx-rx-r for 
dirs and executables -rw-r--r- for other files such as policy files and 
scripts.  The messages file doesn't include any additional information.

If I set DEBUG=1 in bro.rc, I get this:

root at utd59514# /var/tmp/bro/bin/bro.rc start
bro.rc: Starting /var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission 
denied

Huh?

root at utd59514# ls -lsa /var/tmp/bro/bin/bro
1760 -r-xr-xr-x  1 root  wheel  1784264 Jul 12 09:27 /var/tmp/bro/bin/bro

And I can run bro from the commandline (although that brings up another 
issue)

root at utd59514# /var/tmp/bro/bin/bro -i bge0
^C

Any suggestions as to where to look for this problem would be appreciated.

2) I can't seem to figure out the correct format for the local.site.bro file

root at utd59514# /var/tmp/bro/bin/bro -i bge0 utd59514.utdallas.edu.bro
/var/tmp/bro/bro/site/utd59514.utdallas.edu.bro, line 1: error: syntax 
error, at or near ","

Here's the file:

root at utd59514# less /var/tmp/bro/bro/site/utd59514.utdallas.edu.bro
129.110.0.0/16, 10.0.0.0/8

I have tried enclosing this in brackets [129.110.0.0/16, 10.0.0.0/8].  I 
have tried replacing the comma with a space.  I have tried 129.110.0.0/16 
with and without the brackets.  No matter what format I use, I get the 
syntax error.

Is this a bug?  Or have I missed something doh simple?

-- 
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070712/d438742a/attachment.bin 


More information about the Bro mailing list