[Bro] Nodes still crashing/Site specific files

Oehlert, Samuel J soehlert at illinois.edu
Thu Jun 13 12:44:26 PDT 2013


There also seems to be an issue with your libpcap install. Whether it's not installed or bro is not looking in the right directory, if bro can't find libpcap, you won't get anywhere.

-Sam
-------
Sam Oehlert  <soehlert at illinois.edu>
(217) 300-1076
Security Engineer
National Center for Supercomputing Applications

On Jun 13, 2013, at 2:04 PM, "Richards, James L - DOA" <James.Richards at wisconsin.gov> wrote:

> When I do a broctl check all nodes comeback as OK
> 
> When I do a broctl diag I get:
> 
> [worker-3-8]
> No gdb installed.
> 
> ==== No reporter.log
> 
> ==== stderr.log
> /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
> 
> ==== stdout.log
> unlimited
> unlimited
> unlimited
> 
> ==== .cmdline
> -i eth4 -U .status -p broctl -p broctl-live -p local -p worker-3-8 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
> 
> ==== .env_vars
> PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> BROPATH=/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/site::/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
> CLUSTER_NODE=worker-3-8
> 
> ==== No .status
> 
> ==== No prof.log
> 
> ==== No packet_filter.log
> 
> ==== No loaded_scripts.log
> 
> James Richards
> Office of Security
> Wisconsin Department of Administration
> 608.224.3880
> 
> 
> -----Original Message-----
> From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] 
> Sent: Thursday, June 13, 2013 1:06 PM
> To: Richards, James L - DOA
> Cc: bro at bro.org
> Subject: Re: [Bro] Nodes still crashing/Site specific files
> 
> 
> On Jun 13, 2013, at 11:03 AM, "Richards, James L - DOA" <James.Richards at wisconsin.gov> wrote:
> 
>> When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory.
> 
> It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro.  What files did you find outside that dir?
> 
>>  Does anyone know offhand where I should look for these files.
> 
> This should be all of them:
> 
> /usr/local/bro/share/bro/site/local.bro 
> /usr/local/bro/share/bro/site/local-manager.bro 
> /usr/local/bro/share/bro/site/local-proxy.bro 
> /usr/local/bro/share/bro/site/local-worker.bro 
> /usr/local/bro/etc/broctl.cfg 
> /usr/local/bro/etc/networks.cfg 
> /usr/local/bro/etc/node.cfg 
> /usr/local/bro/etc/broccoli.conf
> 
>> I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install...  but all of my nodes crash upon issuing the START command from broctl.
> 
> Copying the spool dir between installs isn't typical.  But you could use `broctl diag` to get more info about why the nodes don't start.
> 
> - Jon
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 





More information about the Bro mailing list