[Bro] Nodes still crashing/Site specific files

Richards, James L - DOA James.Richards at wisconsin.gov
Fri Jun 14 07:57:08 PDT 2013 

OK, now I think I have that figured out.

I ran ./configure --prefix=/usr/local/bro --with-pcap=/usr/local/pfring
Then make, make install, chown -R etc.

It is no longer giving me the libpcap in diag, but I am now getting:

fatal error: /usr/local/bro/bin/bro: problem with interface eth4 - pcap_open_live: eth4: You don't have permission to capture on that device (socket: Operation not permitted)

Am I getting closer, or am I further ruining this...

James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA
Sent: Friday, June 14, 2013 8:45 AM
To: Siwek, Jonathan Luke
Cc: bro at bro.org
Subject: Re: [Bro] Nodes still crashing/Site specific files

Ahhh,

  We are running pfring, which is located in /usr/local/pfring/lib which shows up doing an ldconfig -v

/usr/local/pfring/lib:
        libpfring.so -> libpfring.so
        libpcap.so.1 -> libpcap.so.1.1.1

But I am seeing that  libpcap.so.0.8 is being referenced in the error,  is this the issue which has been plaguing me?

James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880


-----Original Message-----
From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] 
Sent: Thursday, June 13, 2013 3:00 PM
To: Richards, James L - DOA
Cc: bro at bro.org
Subject: Re: [Bro] Nodes still crashing/Site specific files


On Jun 13, 2013, at 2:04 PM, "Richards, James L - DOA" <James.Richards at wisconsin.gov>
 wrote:

> /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory

That usually means the linker can't resolve a path to that library.  Did you link against a libpcap that's installed in a non-standard path?  If `ldd /usr/local/bro/bin/bro` tells you it can't find libpcap, it's either really missing from your system or you need to teach the linker how to find it in a non-standard path.

> In looking at the below diag...  I am seeing an odd directory showing up in the BROPATH,  it looks like there are some artifacts of previous installations...
> 
> Where is the BROPATH set?

Check your etc/broctl.cfg to see if the paths are as you expect.  I think at least SpoolDir goes in to BROPATH and if you just copied the file from a previous install, then it's going to be wrong.

- Jon

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list