[Bro] barnyard2's error: "Unknown output plugin: "alert_bro" " (snort + barnyard2 + bro)

Siwek, Jonathan Luke jsiwek at illinois.edu
Fri Apr 13 09:41:06 PDT 2012


> 
> I'am trying barnyard2-1.9 to send snort alerts as events to bro instance. 
> 
> When building barnyard2, everything looks OK. 
> (For successfully compiling spo_alert_bro.c, I deleted the "#ifdef BROCCOLI" statement in spo_alert_bro.c, and added the dir of broccoli.h to INCLUDE)
> 
> However, when barnyard2 started up, "alert_bro" plugin can not be found:(

There should be another "#ifdef BROCCOLI" in plugbase.c that you might have missed.  However, you shouldn't have to modify code directly if you use the configure options to enable the bro output plugin:

    ./configure --enable-bro --with-broccoli=/usr/local/bro

There were also some bugs I found in the Bro output plugin that prevent it from working with the Bro 2.0 release, but I think I have then fixed and have a pending pull request here:

    https://github.com/firnsy/barnyard2/pull/25

So if you'd still want to play around with getting this to work, use my git version of Barnyard2 and the current git version of Bro.

The other thing that's not well documented anywhere is how to configure the listening Bro node to request the right events from the Barnyard2 Broccoli client.  Here's the Bro script I used when testing:

    @load policy/frameworks/communication/listen
    @load policy/integration/barnyard2
    redef Communication::nodes += {
        ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::barnyard_alert/, $connect = F]
    };

+Jon



More information about the Bro mailing list