[Bro] failed to start BRO

jean-philippe luiggi jean-philippe.luiggi at didconcept.com
Fri Oct 30 04:55:54 PDT 2009 

* jags0nhak3r at engineer.com <jags0nhak3r at engineer.com> [2009-10-29 21:51:33 -0400]:

> 
>  
> 
>  
> Hi, 
> 
> Thanks for your Re
> 
> I figured out that localhost.localdomain.bro is file and BRO needs to open it when it starts. that file should be located at {BROPATH}, that is right.
> 
> here is my BROPATH
> 
> # Bro policy paths
> BROPATH="/usr/local/bro/share/bro/site:/usr/local/bro/share/bro:/usr/local/bro/share/bro/sigs:/usr/local/bro/share/bro/time-machine"
> export BROPATH
> 
> # Filename of the Bro start policy.  Must be located in one of the directories in $BROPATH
> BRO_START_POLICY="localhost.localdomain.bro"
> 
> I wonder why the so called file localhost.localdomain.bro is not created in BROPATH by default. Thus, I created it in this PATH
> /usr/local/bro/share/bro manually and BRO successfully started. 
> 
> I also would like to know what is the purpose of that file what should be in it?
> 
> btw, 
> 1- what and how should I start to capture packets, analyze them? 
> 2-  what commands shall I run where the analysis files are stored?
> 
> I read in the BRO user manual, it mentions that to run BRO type the following comman 
> 
> bro  -[options]
> but when I run bro, which is a binary file, I get    bash: bro: command not found
> 
> what is wrong with my configuration...
> 
> 
> Please I need assistance, 
> 
> Regards

  Hello,
  
  Bro is very good in various things and one of them is the customisation of
  it on behalf of your specific environment.
  You may need to tweak the NIDS in order to make it in accordance with your
  network, etc. so the reason of such a file (localhost.localdomain.bro).
  
  In order to capture data, you need to specify what do you want to catch so here
  are the various *.bro.
  
  my config file (bro.cfg) have :
  
  BRO_START_POLICY="mygw"
  
  and this file contains only one line :
  
  @load brolite 
  
  ("brolite.bro" is found in one of the directory specified by BROPATH).
  
  Considering the analyze, apart from the BROPATH we talk about before, there's 
  too a BROLOGS's environment variable.
  
  Here is mine :
  
  # Directory containing Bro logs
  BROLOGS="/opt/share/bro-1.4/logs"
  export BROLOGS
  
  So as soon as bro begins, it'll report various things in this directory.
  
  I've some (perhaps) stupid questions :
  
  Did you setup a "bro.cfg" (you can do it using "bro_config").
  
  And do you run bro using "bro.rc" ?
  
  With regards,
  
  Jean-Philippe.

More information about the Bro mailing list