[Bro] broctl and filtering

[Daniel Thayer]

On 09/20/2013 08:13 AM, James Lay wrote:
> Hey all…trying to pass this:
>
> broargs = --filter not ip6
>
> a few different ways, but I'm not having much luck:
>
> broargs = --filter not ip6
> broargs = --filter 'not ip6'
> broargs = --filter "not ip6"
>
> ==== stderr.log
> error: can't open ip6
>
> or
>
> ==== stderr.log
> /usr/local/bro/share/broctl/scripts/broctl-config.sh: line 67: ip6: command not found
> error: can't open ip6
>
> ==== .cmdline
> -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto --filter not ip6
>
> Any hints on how to pass the filter the right way?  Thanks all.
>
> James

You need to quote the value of the --filter option like this:

broargs = --filter 'not ip6'

There was a bug that was preventing this from working.
If you look in <prefix>/share/broctl/scripts (<prefix>
is your Bro install prefix), you can patch the following
scripts:


--- check-config.orig
+++ check-config
@@ -25,7 +25,7 @@ export PATH=${bindir}:${scriptsdir}:$PATH
  echo $@ >.cmdline
  touch .checking

-${bro} $@
+${bro} "$@"
  rc=$?

  if [ "$rc" == "0" ] && [ "$print_scripts" == "1" ]; then
--- helpers/start.orig
+++ helpers/start
@@ -9,7 +9,7 @@ shift

  rm -f .pid

-nohup ${scriptsdir}/run-bro $@ >stdout.log 2>stderr.log &
+nohup ${scriptsdir}/run-bro "$@" >stdout.log 2>stderr.log &

  while [ ! -s .pid ]; do
     sleep 1
--- run-bro.orig
+++ run-bro
@@ -71,9 +71,9 @@ if [ -n "${pin_command}" -a $pin_cpu -ge 0 ]; then
          fi
      fi

-    nohup ${pin_command} $pin_cpu $mybro $@ &
+    nohup ${pin_command} $pin_cpu $mybro "$@" &
  else
-    nohup $mybro $@ &
+    nohup $mybro "$@" &
  fi

  child=$!
--- run-bro-on-trace.orig
+++ run-bro-on-trace
@@ -20,5 +20,5 @@ cd $cwd
  echo $@ >.cmdline
  touch .testing

-${bro} -r $trace $@
+${bro} -r $trace "$@"