[Bro] analysis-groups

[Robin Sommer]

On Tue, Mar 03, 2009 at 16:03 -0500, you wrote:

> up and running.  It refuses and then it shames me.  First, I'll detail
> what I've tried, and then I'll tell you where I'm stuck.

I'm sorry about the trouble but you're actually mixing multiple
things here. 

> I attempted to compile and install it, only to find out that the part
> that actually allows it to install and run (bro-lite) was not only
> deprecated, but was helpfully disabled as shipped in order to prevent me
> from blundering into an unsupportable situation.

The bro-lite install is indeed broken in 1.4 but there's a patch in
our tracker which seems to fix the issue; see
http://tracker.icir.org/bro/ticket/51 . Please try this and let me
know if it works for you. 

> I read a huge chunk of the mailing list archives and determined that in
> order to use the "release" version of bro, I would have to install a
> bleeding-edge clustering component, as a test of my mettle.

The cluster shell scripts are supposed to be used only with my
development branch for now. Using them with 1.4 may or may not work,
I don't know. 

> Not to be thwarted, I used Google to try to find out about the file, and
> found a hidden copy in the web interface of the SVN repository.

Well, it's not exactly hidden. If you'd checked out the development
branch (see above), you would have had it.

> segfault and die.  As best I can tell, it's dying in
> DNS_Mgr::Process() .  I'm guessing that's not normal behavior, or
> someone else would probably have emailed about it.  

Hard to tell what this is without further information. There's a
blog posting at
http://blog.icir.org/2009/01/how-to-report-bro-problem.html
describing how to get more context for such problems. In particular,
a stack backtrace would be helpful here. 

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org