[Bro] Bro problem - no software.log written

Mike Sconzo sconzo at visiblerisk.com
Sat Feb 22 05:59:45 PST 2014


Make sure to set your Sites::local_net variable. If you set it to
0.0.0.0/0 you should get an entry in software.log for every connection
that bro can find qualifying entries for.

On Sat, Feb 22, 2014 at 1:22 AM, mv <meetalivaidya at gmail.com> wrote:
>> If sniffing an interface, as a first step check that the software scripts
> are being loaded:
>>
>>
>> $ pwd
>> /path/to/bro/logs/2013-08-28
>>
>> $ zgrep software loaded_scripts.16\:59\:36-17\:00\:00.log.gz
>>   /usr/local/bro/share/bro/base/frameworks/software/__load__.bro
>>   /usr/local/bro/share/bro/base/frameworks/software/./main.bro
>>   /usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro
>>   /usr/local/bro/share/bro/policy/frameworks/software/version-changes.bro
>>   /usr/local/bro/share/bro/policy/protocols/ftp/software.bro
>>   /usr/local/bro/share/bro/policy/protocols/smtp/software.bro
>>   /usr/local/bro/share/bro/policy/protocols/ssh/software.bro
>>   /usr/local/bro/share/bro/policy/protocols/http/software.bro
>
> I have included the detect-webapps script in local.bro. It is supposed to
> show the logs in software.log. But the logs are not see.
>
> I checked that the software scripts are being loaded.
>
> I am not running against a pcap.
>
> Is there any way to debug why software.log is not written. Also, is there
> any other way I can see logs generated by detect-webapps.bro script which
> uses signatures.
>
> Thanks.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
cat ~/.bash_history > documentation.txt



More information about the Bro mailing list