[Bro] Quick Notice question

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Jan 24 10:44:30 PST 2014


Hmm, not sure.

I usually edit the script with Notepad++ and then copy it into a Vi session on the SecurityOnion sensor.  Line 8 is a comment; at least on mine.

Try using "broctl check" and "broctl diag" after stopping bro and see if that turns up anything.  I'm pretty new to Bro so hopefully I'm not leading you down the wrong path.


Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean,  NY 14760
T: (716) 375-3186 | F: (716) 375-3557


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Friday, January 24, 2014 1:22 PM
To: Bro
Subject: Re: [Bro] Quick Notice question

On 2014-01-24 09:48, Kellogg, Brian D (OLN) wrote:
> I've added a little more smarts to the script as I become more 
> familiar with bro scripting.  I'm simply amazed at the possibilities 
> of Bro; thank you to those who have and continue to develop this 
> awesome tool.  I wish I had run across it five years ago.  Attached is 
> the current iteration.  I'm trying to keep track of and alert on hosts 
> that have multiple large upload events in a given time and any 
> destination hosts that have seen multiple uploads over a given time.
> To disable the mail alerts just comment out the below.  If any of my 
> inline comments are unclear yell at me.

So I've completely removed and re-installed bro-2.2.  Here's what I get when I try and test the script:

[11:11:47 @analysis:~/brostuff/testbrofiles$] bro largeTx.bro error in ./largeTx.bro, line 7: unrecognized character - error in ./largeTx.bro, line 8: unrecognized character - <redacted> error in ./largeTx.bro, line 96: unrecognized character - error in ./largeTx.bro, line 97: unrecognized character -

I've tried just downloading the file from email, copying and pasting as text, and even getting rid of the tab control characters.  The below snippet works though:

event bro_init()
{
         print "Hello World!";
}

[11:15:15 @analysis:~/brostuff/testbrofiles$] bro helloworld.bro Hello World!


If I copy the script to /usr/local/bro/share/bro/site, add it to local.bro with "@load largeTx.bro", start broctl, install, then start, I get a fail and diag shows the same as above.
Am I missing something obvious?  Thank you.

James
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list