[Bro] Basic Question

Justin Thomas justin at justinthomas.name
Thu Dec 6 08:56:52 PST 2012


>From here:
http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events

I guess the "old" in the URL should have tipped me off. I had some trouble
finding descriptions of built-in events, so I just grabbed the first thing
that looked reasonable. I'll look over the document you linked below. I did
try using the "new_connection" event with similar results (i.e., none), so
your comment on the cluster configuration may also be a sticking point for
me.

I'll look over my configuration with that note about the manager not
generating the protocol events in mind; I'm not sure on the specifics (if I
recall correctly, I think I configured it as a cluster for future expansion
but am only running on one machine right now).

On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth at icir.org> wrote:

>
> On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin at justinthomas.name>
> wrote:
>
> > @event
> > def ssl_conn_attempt(connection, version, ciphers):
>
> Where did you get this event from?  That is an old event that was removed
> prior to the 2.0 release.  You can refer to the following link for all of
> our current (2.1 release) analyzer generated events:
>         http://bro-ids.org/documentation/scripts/base/event.bif.html
>
> Are you running Bro with BroControl in standalone mode too?  If you run a
> cluster and you only connect to your manager you won't see these events
> either because the protocol events aren't being generated on the manager.
>  It looks like you're doing the right things in your python script though.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/02737c85/attachment.html 


More information about the Bro mailing list