[Bro] failed to start BRO

jags0nhak3r at engineer.com jags0nhak3r at engineer.com
Sun Nov 1 19:44:03 PST 2009 

 

 Thanks jean

I have done it..




 

-----Original Message-----
From: jean-philippe luiggi <jean-philippe.luiggi at didconcept.com>
To: jags0nhak3r at engineer.com
Cc: bro at ICSI.Berkeley.EDU
Sent: Fri, Oct 30, 2009 7:55 pm
Subject: Re: [Bro] failed to start BRO










* jags0nhak3r at engineer.com <jags0nhak3r at engineer.com> [2009-10-29 21:51:33 
-0400]:

> 
>  
> 
>  
> Hi, 
> 
> Thanks for your Re
> 
> I figured out that localhost.localdomain.bro is file and BRO needs to open it 
when it starts. that file should be located at {BROPATH}, that is right.
> 
> here is my BROPATH
> 
> # Bro policy paths
> BROPATH="/usr/local/bro/share/bro/site:/usr/local/bro/share/bro:/usr/local/bro/share/bro/sigs:/usr/local/bro/share/bro/time-machine"
> export BROPATH
> 
> # Filename of the Bro start policy.  Must be located in one of the directories 
in $BROPATH
> BRO_START_POLICY="localhost.localdomain.bro"
> 
> I wonder why the so called file localhost.localdomain.bro is not created in 
BROPATH by default. Thus, I created it in this PATH
> /usr/local/bro/share/bro manually and BRO successfully started. 
> 
> I also would like to know what is the purpose of that file what should be in 
it?
> 
> btw, 
> 1- what and how should I start to capture packets, analyze them? 
> 2-  what commands shall I run where the analysis files are stored?
> 
> I read in the BRO user manual, it mentions that to run BRO type the following 
comman 
> 
> bro  -[options]
> but when I run bro, which is a binary file, I get    bash: bro: command not 
found
> 
> what is wrong with my configuration...
> 
> 
> Please I need assistance, 
> 
> Regards

  Hello,
  
  Bro is very good in various things and one of them is the customisation of
  it on behalf of your specific environment.
  You may need to tweak the NIDS in order to make it in accordance with your
  network, etc. so the reason of such a file (localhost.localdomain.bro).
  
  In order to capture data, you need to specify what do you want to catch so 
here
  are the various *.bro.
  
  my config file (bro.cfg) have :
  
  BRO_START_POLICY="mygw"
  
  and this file contains only one line :
  
  @load brolite 
  
  ("brolite.bro" is found in one of the directory specified by BROPATH).
  
  Considering the analyze, apart from the BROPATH we talk about before, there's 
  too a BROLOGS's environment variable.
  
  Here is mine :
  
  # Directory containing Bro logs
  BROLOGS="/opt/share/bro-1.4/logs"
  export BROLOGS
  
  So as soon as bro begins, it'll report various things in this directory.
  
  I've some (perhaps) stupid questions :
  
  Did you setup a "bro.cfg" (you can do it using "bro_config").
  
  And do you run bro using "bro.rc" ?
  
  With regards,
  
  Jean-Philippe.
  
  



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091101/92b0ca22/attachment.html

More information about the Bro mailing list