From jmellander at lbl.gov Fri Jul 2 08:57:09 2010 From: jmellander at lbl.gov (Jim Mellander) Date: Fri, 02 Jul 2010 08:57:09 -0700 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: <201006261600.o5QG0WBW022937@pork.ICSI.Berkeley.EDU> References: <201006261600.o5QG0WBW022937@pork.ICSI.Berkeley.EDU> Message-ID: <4C2E0C55.7060108@lbl.gov> Vern Paxson wrote: >> I still puzzled over ipsumdump because the difference in connection number >> is big and the tool does not give you any hint about the existence of a >> problem, thus it is easy to get a wrong analysis with bro. > > Hmmmm - we make heavy use of ipsumdump for trace analysis, and haven't run > across this sort of problem before. If you can put together a demonstration > of the problem, send it to Eddie Kohler (the ipsumdump > developer), he's quite responsive in fixing bugs. Also, cc me on the note, > as I'd like to understand the issue better. > > Vern > I used to use ipsumdump to stitch together multiple pcap files into one, but have found on occasion that it doesn't always output in timestamp sorted order. Don't have a testcase right now, but IIRC, it occurred if using a large number of files. Consequently, I wrote a little utility 'tcpsort', which although it has its deficiencies (in memory sort of timestamps which restricts total size of input files, and two passes thru the input files) works for the purpose of stitching multiple pcap files together in timestamp sorted order. I can post if if there's interest. -- Jim Mellander Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: knot in cables caused data stream to become twisted and kinked From seth at remor.com Fri Jul 2 09:27:13 2010 From: seth at remor.com (Seth Hall) Date: Fri, 2 Jul 2010 12:27:13 -0400 Subject: [Bro] 64-bit? In-Reply-To: <20100630200230.GB63667@icir.org> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> <20100630200230.GB63667@icir.org> Message-ID: <7565FD7C-72F0-4383-A828-4B1EA80594A1@remor.com> On Jun 30, 2010, at 4:02 PM, Robin Sommer wrote: > What's the broccoli issue? Can you file a tracker ticket for that > please? After some more investigation, here's the ticket: http://tracker.icir.org/bro/ticket/256 .Seth From ssakai at sdsc.edu Fri Jul 2 12:13:55 2010 From: ssakai at sdsc.edu (Scott Sakai) Date: Fri, 02 Jul 2010 12:13:55 -0700 Subject: [Bro] 64-bit? In-Reply-To: References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> <4C2BBA6B.4010806@sdsc.edu> Message-ID: <4C2E3A73.4070802@sdsc.edu> On 06/30/2010 07:16 PM, Seth Hall wrote: > > On Jun 30, 2010, at 5:43 PM, Scott Sakai wrote: > >> I encountered underruns and corruption while using bropipe to send >> datatypes involving an int (count, port...) to Bro. The underlying issue >> seems to be that broccoli is sending a 32-bit int and Bro is expecting a >> 64-bit one. > > Did you have Bro built with --enable-int64? Initially I did. That seems to be what caused the problem. Rebuilding without --enable-int64 appears to have resolved the underrun errors in bro. -- Scott Sakai Security Analyst San Diego Supercomputer Center ssakai at sdsc.edu +1-858-822-0851 From seth at remor.com Fri Jul 2 12:28:04 2010 From: seth at remor.com (Seth Hall) Date: Fri, 2 Jul 2010 15:28:04 -0400 Subject: [Bro] 64-bit? In-Reply-To: <4C2E3A73.4070802@sdsc.edu> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> <4C2BBA6B.4010806@sdsc.edu> <4C2E3A73.4070802@sdsc.edu> Message-ID: On Jul 2, 2010, at 3:13 PM, Scott Sakai wrote: > Initially I did. That seems to be what caused the problem. Rebuilding > without --enable-int64 appears to have resolved the underrun errors in bro. Yet another ticket needs filed for that one. .Seth From talebihossain at yahoo.com Sat Jul 10 17:32:36 2010 From: talebihossain at yahoo.com (hossain talebi) Date: Sat, 10 Jul 2010 17:32:36 -0700 (PDT) Subject: [Bro] Error in install-brolite Message-ID: <390362.63396.qm@web38604.mail.mud.yahoo.com> Hi i'm trying install bro-1.4 : 1. ./configure ... ? ?? no error 2.make?? ... ????? no error 3.make install? ... ? ? ? no error 4.make install-brolite ... ... ... make[1]: Leaving directory `/root/Download/bro-1.4/aux' /bin/chown -R `cat scripts/bro_user_id` /usr/local/bro/ cat: scripts/bro_user_id: No such file or directory /bin/chown: missing operand after `/usr/local/bro/' Try `/bin/chown --help' for more information. make: [install-brolite] Error 1 (ignored) ********************************************************* Please run "/usr/local/bro/etc/bro.rc --start" to start bro ********************************************************* does not create the file ?$BROHOME/etc/bro.cfg?. please help me for resolve this problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100710/6a7c6736/attachment.html From seth at remor.com Sun Jul 11 06:22:37 2010 From: seth at remor.com (Seth Hall) Date: Sun, 11 Jul 2010 09:22:37 -0400 Subject: [Bro] Error in install-brolite In-Reply-To: <390362.63396.qm@web38604.mail.mud.yahoo.com> References: <390362.63396.qm@web38604.mail.mud.yahoo.com> Message-ID: On Jul 10, 2010, at 8:32 PM, hossain talebi wrote: > 4.make install-brolite BroLite has been deprecated for a while now and I believe it's actually broken in 1.4. You would be much better served by using Bro 1.5 and BroControl. Here is a document about working with BroControl: http://svn.icir.org/bro/releases/release_1_5/bro/aux/broctl/README.html .Seth From talebihossain at yahoo.com Sun Jul 11 14:27:44 2010 From: talebihossain at yahoo.com (hossain talebi) Date: Sun, 11 Jul 2010 14:27:44 -0700 (PDT) Subject: [Bro] Error in install-brolite In-Reply-To: Message-ID: <157999.98072.qm@web38603.mail.mud.yahoo.com> I'm using Bro 1.5 and run './configure' without error but run 'make' get following error: ? make[4]: Leaving directory `/root/Download/bro-1.5/aux/broccoli' Making all in broctl make[4]: Entering directory `/root/Download/bro-1.5/aux/broctl' make[4]: *** No rule to make target `all'.? Stop. make[4]: Leaving directory `/root/Download/bro-1.5/aux/broctl' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/Download/bro-1.5/aux' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/Download/bro-1.5/aux' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/Download/bro-1.5' make: *** [all] Error 2 Now how to resolve this problem? --- On Sun, 7/11/10, Seth Hall wrote: From: Seth Hall Subject: Re: [Bro] Error in install-brolite To: "hossain talebi" Cc: Bro at ICSI.Berkeley.EDU Date: Sunday, July 11, 2010, 6:22 AM On Jul 10, 2010, at 8:32 PM, hossain talebi wrote: > 4.make install-brolite BroLite has been deprecated for a while now and I believe it's actually broken in 1.4.? You would be much better served by using Bro 1.5 and BroControl. Here is a document about working with BroControl: ???http://svn.icir.org/bro/releases/release_1_5/bro/aux/broctl/README.html ? .Seth -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100711/ae390e5b/attachment.html From seth at remor.com Mon Jul 12 06:50:39 2010 From: seth at remor.com (Seth Hall) Date: Mon, 12 Jul 2010 09:50:39 -0400 Subject: [Bro] Error in install-brolite In-Reply-To: <157999.98072.qm@web38603.mail.mud.yahoo.com> References: <157999.98072.qm@web38603.mail.mud.yahoo.com> Message-ID: <8EA2ACAF-307D-4781-AC9E-9BC413D94968@remor.com> On Jul 11, 2010, at 5:27 PM, hossain talebi wrote: > I'm using Bro 1.5 and run './configure' without error but run 'make' get following error: You didn't actually include the error that occurred. You need to include more of the text above what you sent last time. .Seth From estrada.veronica at gmail.com Mon Jul 12 09:46:21 2010 From: estrada.veronica at gmail.com (Veronica Estrada) Date: Tue, 13 Jul 2010 01:46:21 +0900 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: <4C2E0C55.7060108@lbl.gov> References: <201006261600.o5QG0WBW022937@pork.ICSI.Berkeley.EDU> <4C2E0C55.7060108@lbl.gov> Message-ID: Dear Jim/Vern, Sorry for the delayed answer. I found that ipsumdump has problems with some specific files no matter the number of pcap files, but, of course using a large amount of input files increase the possibilities of having problems ( unfortunately I cannot figure out the reason). I tried to use tcpslice instead, but my server crash twice apparently due to tcpslice trying to merge 300 files. I couldn't test it again to avoid problems. Any help is welcome, but it doesn't seem timestamp order is the problem for my case. My goal is to provide BRO with enough input data for recognizing complete connections, detect protocols and avoid any weird activity due cause by split connections among several pcap files. Thank you, Veronica Estrada Nakao Laboratory - Network Systems Research Group University of Tokyo > I used to use ipsumdump to stitch together multiple pcap files into one, > but > have found on occasion that it doesn't always output in timestamp sorted > order. > Don't have a testcase right now, but IIRC, it occurred if using a large > number > of files. > > Consequently, I wrote a little utility 'tcpsort', which although it has its > deficiencies (in memory sort of timestamps which restricts total size of > input > files, and two passes thru the input files) works for the purpose of > stitching > multiple pcap files together in timestamp sorted order. I can post if if > there's interest. > > > > -- > Jim Mellander > Lawrence Berkeley National Laboratory > (510) 486-7204 > > The reason you are having computer problems is: > > knot in cables caused data stream to become twisted and kinked > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/75858c06/attachment.html From seth at remor.com Mon Jul 12 12:03:16 2010 From: seth at remor.com (Seth Hall) Date: Mon, 12 Jul 2010 15:03:16 -0400 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: References: <201006261600.o5QG0WBW022937@pork.ICSI.Berkeley.EDU> <4C2E0C55.7060108@lbl.gov> Message-ID: <54566C41-3AAB-4BC1-98D6-5A63BC331346@remor.com> On Jul 12, 2010, at 12:46 PM, Veronica Estrada wrote: > Sorry for the delayed answer. I found that ipsumdump has problems with some specific files no matter the number of pcap files I suppose this means that you don't know of any specific differences in the problematic trace files? .Seth From scdlbx at gmail.com Tue Jul 13 19:39:14 2010 From: scdlbx at gmail.com (Ben Rosenberg) Date: Tue, 13 Jul 2010 19:39:14 -0700 Subject: [Bro] First use of Bro Message-ID: Hi, I've recently begun using Bro and have found it to be a very interesting tool to work with. I have started poking around some of the scripts and trying a few of the exercises in the slides from the 2009 Bro workshop. So far everything is working well. I have created a few patches to fix small problems I had or add features that I was looking for. I have attached these patches so that others can use them if they find them useful. I am working off of svn build 7050. Here are the list of changes I have made so far: - Patched main.cc to add the -N command line flag. This effectively enables BRO_FAKE_DNS for that run. I think this is more useful than using an environment variable because the flags are listed in the command line help, and it makes it easier to change from run to run without manipulating environment variables. - Removed duplicate login_non_failure_msgs from policy/login.bro. The same block was listed twice, one with &redef and the other without. Seemed superfluous. - Commented out example in policy/scan.bro. It doesn't seem like making the example value live added any value, and could possibly cause problems. - Edited policy/ssh.bro to print what port is being used for ssh servers. Also changed the data structure that tracks the servers to allow for multiple ssh servers on the same system. I found this useful when using dpd. - Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports. - Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer tree, so that when using dpd.ssh.bro, ssh servers running on any tcp port are detected. There are still some more features I plan to work on. Depending on how difficult it would be, I want to add the ability to hook an analyzer into the analyzer tree via script, so that the source doesn't need to be edited for each. Or so that functionality could be toggled on or off depending on need. I also started to convert the 6000+ Nmap service probe signatures into dpd signatures. I have an initial list, but a lot of the Nmap regexs cause problems with Bro. I am going to try to clean those up so that they can be useable with Bro. For the scripts that send packets, such as terminate-connection.bro and the scripts that load it, I want to rewrite them so they can run in either Active or Passive mode. In Passive mode they wouldn't send any packets, which would be the default behavior. I know that currently the default behavior is similar to this, but being able to designate individual scripts to be active or passive, or knowing for sure that all scripts are being passive could be useful and allow for more control. I have a few more simple ideas that I will try to get working, and I will probably think of more as I experiment more with Bro. Any feedback would be greatly appreciated. Thanks for making such a great tool, using it has been very fun and interesting so far and I hope to learn more from it. Thanks, Ben Rosenberg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: main.cc.patch Type: text/x-patch Size: 1429 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: login.bro.patch Type: text/x-patch Size: 549 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0001.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: scan.bro.patch Type: text/x-patch Size: 355 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: dpd.ssh.bro Type: application/octet-stream Size: 57 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: DPM.cc.patch Type: text/x-patch Size: 644 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0003.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh.bro.patch Type: text/x-patch Size: 1238 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0004.bin From estrada.veronica at gmail.com Wed Jul 14 03:29:03 2010 From: estrada.veronica at gmail.com (Veronica Estrada) Date: Wed, 14 Jul 2010 19:29:03 +0900 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: <54566C41-3AAB-4BC1-98D6-5A63BC331346@remor.com> References: <201006261600.o5QG0WBW022937@pork.ICSI.Berkeley.EDU> <4C2E0C55.7060108@lbl.gov> <54566C41-3AAB-4BC1-98D6-5A63BC331346@remor.com> Message-ID: Actually, this problem is more related to ipsumdump. However, it can affect BRO input, thus I briefly explain my founds and we can discuss further details by e-mail. I've just tested ipsumdump with different traces. I used Ipsumdump 1.78 (libclick-1.7.0) on Fedora 8. Using wireshark I saw that my files contain some malformed packets, particularly packets for Ethernet and FC (Fibre Channel) protocols. I found that FC malformed packets are not a problem for ipsumdump. But, in the case of Ehernet malformed packets, ipsumdump cannot handle files that contains this type of malformed packets correctly. I corroborated my experiments with tcpslice that it can deal with them. The situation may be a problem if the user doesn't notice the presence of Ethernet malformed packets and ipsumdump is used in quiet mode inside a script, since no error messages are printed. At first, I noticed the problem in the progress bar printed by ipsumdump, because the progress bar split into several partial bars and eventually reach 100%. The bar does not split when using input files that don't contain ETH malformed packets . A user can check the size of the output file but recognizing the error in this way may be subtle because size can be different if the input pcap files are overlapped. A good thing about ipsumdump is that it can deal with a terabyte output and hundreds of input files. On the other hand, when I use tcpslice, the server crashed (probably because of the tcpslice process). Veronica Estrada Nakao Laboratory - Network Systems Research Group University of Tokyo From seth at remor.com Wed Jul 14 05:06:35 2010 From: seth at remor.com (Seth Hall) Date: Wed, 14 Jul 2010 08:06:35 -0400 Subject: [Bro] First use of Bro In-Reply-To: References: Message-ID: <4CBF457A-921F-43FF-A880-9FEFE03B62D3@remor.com> On Jul 13, 2010, at 10:39 PM, Ben Rosenberg wrote: > I have started poking around some of the scripts and trying a few of the exercises in the slides from the 2009 Bro workshop. So far everything is working well. Cool! > I have created a few patches to fix small problems I had or add features that I was looking for. Even cooler! > - Patched main.cc to add the -N command line flag. > - Removed duplicate login_non_failure_msgs from policy/login.bro. > - Commented out example in policy/scan.bro. > - Edited policy/ssh.bro to print what port is being used for ssh servers. > - Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports. > - Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer tree It would be best to submit these as patch tickets into the tracker at: http://tracker.icir.org/bro/ I'll coordinate with you off-list for getting a tracker account set up. We removed the ability for people to create their own accounts due to abuse. > I also started to convert the 6000+ Nmap service probe signatures into dpd signatures. Unfortunately, without a corresponding analyzer the most you can do is log what protocol was possibly seen on the connection. I've thought of doing the same thing before and it's pretty easy at least. The only reason I stopped was that there weren't too many worthwhile protocols, but I was looking at the regex's from the l7-filters project. Maybe the nmap signatures are better? I have a set of scripts you may be interested in checking out at: http://github.com/sethhall/bro_scripts Let me know if you have any questions. .Seth From ahutton at lbl.gov Fri Jul 16 10:09:56 2010 From: ahutton at lbl.gov (Anne Hutton) Date: Fri, 16 Jul 2010 10:09:56 -0700 Subject: [Bro] job oppportunities at LBNL Message-ID: Hi, LBNL is looking to recruit a Security Engineer or two.... For details and how to apply see: http://jobs.lbl.gov/details.asp?jid=24661&p=1 *Summary* Berkeley Lab, a pioneer in scientific research, has an immediate opening for a Cyber Security Engineer. The person holding this position will be a member of the LBNL Computer Protection Program (CPP) which provides cyber security services and support to Berkeley Lab - an unclassified, university-like computing environment. The primary responsibilities of this position are to improve the Lab's cyber protection mechanisms, perform network traffic analysis, respond to and resolve cyber security incidents, and provide technical expertise, especially in the area of system protection (unix, windows). In addition, participation is expected in all aspects of computer protection that will further the mission of the Lab, such as participation in: uncovering computer and network vulnerabilities in the LBNL environment, reducing the risk incurred by vulnerabilities, infusing new security technologies into the Laboratory environment, and promoting security awareness and training. Solid interpersonal skills and the ability to work effectively in a team environment are a must. * Specifically, this position will:* - Perform cyber security monitoring and analysis, incident response, and the forensic analysis and resolution of cyber security incidents. - Investigate new technologies and processes to enhance cyber security capabilities, and implement necessary improvements. - Participate in the installation, configuration and management of CPP maintained hardware and software. -- Anne Hutton Computer Protection Program Lawrence Berkeley National Laboratory (510) 495-2681 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100716/c365edd0/attachment.html From urbanski at vt.edu Mon Jul 19 14:21:45 2010 From: urbanski at vt.edu (Urbanski, William) Date: Mon, 19 Jul 2010 17:21:45 -0400 Subject: [Bro] Bro on FreeBSD 8.0 amd64 Message-ID: <9A646756E263F34F8AC6F88883AA8250296C125FFC@fangorn.cc.w2k.vt.edu> Hi, I'm trying to get BRO installed on FreeBSD amd64. I am having the same issue that kreibich outlined here: http://tracker.icir.org/bro/ticket/256 I've tried compiling broccoli and then compiling bro, but for some reason the main bro build script keeps trying to build broccoli and subsequently failing. Where/how should I include -enable-int64 or -fPIC to get this to build??? Thanks! Will Urbanski From soehlert at ncsa.uiuc.edu Thu Jul 22 13:41:10 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Thu, 22 Jul 2010 15:41:10 -0500 (CDT) Subject: [Bro] Script Must Be Run On Manager Node Message-ID: <1304142600.130946.1279831270243.JavaMail.root@zimbra-1.ncsa.uiuc.edu> I have a bro cluster set up (or mostly set up) on CentOS 5.5. I am using svn version 7048. I try to run /usr/local/bro/bin/broctl start and it replies with ERROR: Script must be run on manager node. I saw someone else with this issue who added some things to PATH, which I tried, and it still did not work. Does anyone know what could cause this? Thanks, Sam From seth at remor.com Thu Jul 22 18:04:44 2010 From: seth at remor.com (Seth Hall) Date: Thu, 22 Jul 2010 21:04:44 -0400 Subject: [Bro] Script Must Be Run On Manager Node In-Reply-To: <1304142600.130946.1279831270243.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <1304142600.130946.1279831270243.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <8748BDB0-2825-4B6D-9A07-35F1072BC13F@remor.com> On Jul 22, 2010, at 4:41 PM, Sam Oehlert wrote: > I try to run /usr/local/bro/bin/broctl start and it replies with ERROR: Script must be run on manager node. Could you send along the contents of your /usr/local/bro/etc/node.cfg file? That might help us figure out what's going on. Thanks, .Seth From JAzoff at uamail.albany.edu Thu Jul 22 18:19:52 2010 From: JAzoff at uamail.albany.edu (Justin Azoff) Date: Thu, 22 Jul 2010 21:19:52 -0400 Subject: [Bro] Script Must Be Run On Manager Node In-Reply-To: <1304142600.130946.1279831270243.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <1304142600.130946.1279831270243.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <20100723011952.GM2981@datacomm.albany.edu> On Thu, Jul 22, 2010 at 04:41:10PM -0400, Sam Oehlert wrote: > I have a bro cluster set up (or mostly set up) on CentOS 5.5. I am > using svn version 7048. I try to run /usr/local/bro/bin/broctl start > and it replies with ERROR: Script must be run on manager node. I saw > someone else with this issue who added some things to PATH, which I > tried, and it still did not work. Does anyone know what could cause > this? two reasons: 1. you used 'localhost' or somehing in node.cfg.. i've had the best luck using plain ip addresses. 2. broctl can't find ifconfig - this is often a problem with cron, my bro crontab looks like PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 0-59/5 * * * * root /usr/local/bro/bin/broctl cron -- -- Justin Azoff -- Network Security & Performance Analyst From soehlert at ncsa.uiuc.edu Fri Jul 23 07:48:27 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Fri, 23 Jul 2010 09:48:27 -0500 (CDT) Subject: [Bro] Script Must Be Run On Manager Node In-Reply-To: <8748BDB0-2825-4B6D-9A07-35F1072BC13F@remor.com> Message-ID: <1790957365.135645.1279896507411.JavaMail.root@zimbra-1.ncsa.uiuc.edu> I thought I had, I'm sorry. I did get it figured out though, my PATH was set incorrectly and ignored /sbin so it couldn't find ifconfig. Thanks, Sam ----- Original Message ----- From: "Seth Hall" To: "Sam Oehlert" Cc: "bro" Sent: Thursday, July 22, 2010 8:04:44 PM Subject: Re: [Bro] Script Must Be Run On Manager Node On Jul 22, 2010, at 4:41 PM, Sam Oehlert wrote: > I try to run /usr/local/bro/bin/broctl start and it replies with ERROR: Script must be run on manager node. Could you send along the contents of your /usr/local/bro/etc/node.cfg file? That might help us figure out what's going on. Thanks, .Seth From soehlert at ncsa.uiuc.edu Fri Jul 23 10:39:14 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Fri, 23 Jul 2010 12:39:14 -0500 (CDT) Subject: [Bro] No Work Dir Found Message-ID: <1824159248.137110.1279906754123.JavaMail.root@zimbra-1.ncsa.uiuc.edu> I have tried to read through all the documentation and whatnot, but I don't see anything about this topic. I have bro starting fine now, however, it always quits because it says no work dir found on all of the workers. Do I need to specify a directory for it to use? How do I do that? Sam From JAzoff at uamail.albany.edu Fri Jul 23 10:49:39 2010 From: JAzoff at uamail.albany.edu (Justin Azoff) Date: Fri, 23 Jul 2010 13:49:39 -0400 Subject: [Bro] No Work Dir Found In-Reply-To: <1824159248.137110.1279906754123.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <1824159248.137110.1279906754123.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <20100723174935.GA27397@datacomm.albany.edu> On Fri, Jul 23, 2010 at 01:39:14PM -0400, Sam Oehlert wrote: > I have tried to read through all the documentation and whatnot, but I > don't see anything about this topic. I have bro starting fine now, > however, it always quits because it says no work dir found on all of > the workers. Do I need to specify a directory for it to use? How do I > do that? did you run 'install' in broctl? -- -- Justin Azoff -- Network Security & Performance Analyst From soehlert at ncsa.uiuc.edu Fri Jul 23 11:03:17 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Fri, 23 Jul 2010 13:03:17 -0500 (CDT) Subject: [Bro] No Work Dir Found In-Reply-To: <20100723174935.GA27397@datacomm.albany.edu> Message-ID: <313857920.137247.1279908197745.JavaMail.root@zimbra-1.ncsa.uiuc.edu> I managed to fix the no work dir found problem (silly permissions issues and ssh-keys). I run broctl check and everything says ok. I then try to start and everything starts ok, but then all of the workers immediately fail due to an error at line 67 of /usr/local/bro/share/bro/drop.bro internal error: NB-DNS error in DNS_Mgr::WaitForReplies (recvfrom(): Connection refused) It doesn't make sense to me because it seems like it's saying it has DNS issues, but DNS works in every other aspect (ping, browser). Sam ----- Original Message ----- From: "Justin Azoff" To: "Sam Oehlert" Cc: "bro" Sent: Friday, July 23, 2010 12:49:39 PM Subject: Re: [Bro] No Work Dir Found On Fri, Jul 23, 2010 at 01:39:14PM -0400, Sam Oehlert wrote: > I have tried to read through all the documentation and whatnot, but I > don't see anything about this topic. I have bro starting fine now, > however, it always quits because it says no work dir found on all of > the workers. Do I need to specify a directory for it to use? How do I > do that? did you run 'install' in broctl? -- -- Justin Azoff -- Network Security & Performance Analyst From robin at icir.org Mon Jul 26 09:26:40 2010 From: robin at icir.org (Robin Sommer) Date: Mon, 26 Jul 2010 09:26:40 -0700 Subject: [Bro] No Work Dir Found In-Reply-To: <313857920.137247.1279908197745.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <20100723174935.GA27397@datacomm.albany.edu> <313857920.137247.1279908197745.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <20100726162640.GF52703@icir.org> On Fri, Jul 23, 2010 at 13:03 -0500, Sam Oehlert wrote: > internal error: NB-DNS error in DNS_Mgr::WaitForReplies (recvfrom(): Connection refused) Yes, this does look like DNS issues. > DNS issues, but DNS works in every other aspect (ping, browser). Hmm, that's weird. I presume you did verify this on the actual worker systems, not just on the manager, correct? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From soehlert at ncsa.uiuc.edu Mon Jul 26 09:28:20 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Mon, 26 Jul 2010 11:28:20 -0500 (CDT) Subject: [Bro] No Work Dir Found In-Reply-To: <20100726162640.GF52703@icir.org> Message-ID: <1050437451.144001.1280161700573.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Yes I ran into the same problem on 4 workers as well as the server, and another 3 machine cluster elsewhere on the network. Could it be something in the configurations? Sam ----- Original Message ----- From: "Robin Sommer" To: "Sam Oehlert" Cc: "Justin Azoff" , "bro" Sent: Monday, July 26, 2010 11:26:40 AM Subject: Re: [Bro] No Work Dir Found On Fri, Jul 23, 2010 at 13:03 -0500, Sam Oehlert wrote: > internal error: NB-DNS error in DNS_Mgr::WaitForReplies (recvfrom(): Connection refused) Yes, this does look like DNS issues. > DNS issues, but DNS works in every other aspect (ping, browser). Hmm, that's weird. I presume you did verify this on the actual worker systems, not just on the manager, correct? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org