[Bro] Problem with Broccoli connection

Daniel Wyschogrod dwyschogrod at bbn.com
Mon Dec 3 06:34:04 PST 2012 

Seth,

Thanks for the quick reply.  Turns out that the missing colon was just a transcription error in hand copying the code to my email computer.  The original had two colons.  The problem seems to be that the instance of Bro never sees the connection from Broccoli.  There's no indication in the logs that the connection was attempted and the barnyard2 instance dies with the message:

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/home/dwyschogrod/suricata-local/etc/barnyard2.conf"
Log directory = /home/dwyschogrod/suricata-local/logs
alert_bro Connecting to Bro (127.0.0.1:12345)...ERROR: failed!
Could not connect to Bro!
Fatal Error, Quitting..


The latest version of my local.bro code (I've changed the listen_port):

@load policy/frameworks/communication/listen
redef Communication::listen_port = 12345/tcp;
#redef Communication::listen_interface = 127.0.0.1;
redef Communication::listen_ssl = F;
@load policy/integration/barnyard2
redef Communication::nodes += {
        ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::.*/, $connect = F, $ssl = F]
    };

Thanks again for the help.

Dan
____________________
Dan Wyschogrod

Senior Scientist
Cyber Security
Raytheon/BBN Technologies

dwyschogrod at bbn.com




On Dec 3, 2012, at 8:53 AM, Seth Hall <seth at icir.org> wrote:

> 
> On Dec 3, 2012, at 12:04 AM, Seth Hall <seth at icir.org> wrote:
> 
>> 
>> On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod at bbn.com> wrote:
>> 
>>> 	["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
>>> 	};
>> 
>> You need two commas in that event name. 
> 
> Arg!  Two colons. :)  You could even just use /Barnyard2::.*/
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2593 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/773db76d/attachment.bin

More information about the Bro mailing list