[Bro] Debugging and non-interactive install

Greg Lindon greglindon at gmail.com
Fri Jun 20 07:37:55 PDT 2008


Hi Guys,

I've been playing with Bro (1.3.2 dev release) on and off for a few weeks
now.  I like the idea of the product, the code looks good, and the scripting
language quite powerful.  Having said that I'm having a few problems.

1.  I need a non-interactive install of Bro.  I want to roll it out to a
number of red-hat-based sensors, so the usual process that requires human
interaction is not feasible/maintainable.  My usual approach with other
software on the sensors is to create an rpm with a default install and then
check the box/network specific configuration out of svn over the top of the
defaults.

The two-stage install (make install, make install-brolite) makes this a bit
complicated.  I tried separating out the parts of the install that need to
be run on the target system and putting them in the rpm post install
(creating bro user, checking kernel params).  This involved chopping parts
out of the makefile, running the perl scripts in the post, and disabling the
prompts by accepting defaults in brolite.  Unfortunately I never got all
this to work properly.

I'm hoping that someone who understands the installation process better than
me can either create an rpm or a install-non-interactive Makefile target
that drops a default install on the box :)  Happy to accept any other
suggestions too.

2.  I'm having some trouble debugging a simple policy file (I'd include it,
but its on another network).  I basically want to redefine some of the
clear-passwords methods to reduce log noise by checking if this is a
password we already know about, and to ignore IRC JOINs with no password.

when I run:

bro -d -r test.pcap brolite local.clear-passwords
or
bro -d -r test.pcap local.clear-passwords

it never drops into the debugger (and if you Ctrl-C it dies).  But if I run

bro -d -r test.pcap brolite

it drops into the debugger fine.  Help?  My clear-passwords has the same
load statements as the distributed version. Do I need something special to
cause the debugger to break?

I'm at the stage where bro isn't giving me any errors about the policy but
it is not producing any output, at all, for any policy.  Any hints?

Thanks,
Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080620/ee8bf67f/attachment.html 


More information about the Bro mailing list