[Bro] help required in logs with bro

anthony kasza anthony.kasza at gmail.com
Wed Nov 23 14:30:26 PST 2016


I've put the list back on CC.

Broctl will write logs wherever it's configured to. I'm not familiar with
the Security Onion distribution enough to troubleshoot it. Bro seems to be
working correctly. My guess is you need to fiddle with the broctl
configuration security onion is using.

-AK

On Nov 23, 2016 3:25 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:

> If you run 'bro -Ci eth0' and browse a webserver over eth0, bro should
> spit out logs in your current working directory. If not, Bro is either not
> seeing packets or something else is wrong.
> *I am getting this correctly.*
>
> Is there a reason why broctl would not work in this case(when bro binary
> is)?
> Also just to make sure, broctl will always send logs in
> /nsm/bro/logs/current right?
>
> On Wed, Nov 23, 2016 at 5:22 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
>> Try writing a trace file to disk with tcpdump and reading it with Bro
>> using the -r option.
>>
>> On Nov 23, 2016 3:11 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>>
>>> also anthony,
>>> I did try tcpdump:
>>> yagyesh at yagyesh-virtual-machine:/nsm/bro/share/bro/base/protocols/http$
>>> sudo tcpdump -nS
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>> decode
>>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>>> 17:03:30.300262 IP 192.168.170.135.45554 > 31.13.69.228.443: Flags [P.],
>>> seq 1936267894:1936268148, ack 2692707210, win 64240, length 254
>>> 17:03:30.300484 IP 31.13.69.228.443 > 192.168.170.135.45554: Flags [.],
>>> ack 1936268148, win 64240, length 0
>>>
>>>
>>> it is showing me the movement of packets.
>>>
>>> When i am doing a curl to localhost, then i am changing the node.cfg
>>> file so as to reflect interface=lo and not eth0.
>>> Thats the only change that we need if we need to monitor loopback port
>>> with bro instead of eth0?
>>>
>>> Also someone suggested that the interface might not be in monitor mode,
>>> had this been the case would i have received the tcpdump like mentioned
>>> above?
>>>
>>> On Wed, Nov 23, 2016 at 5:01 PM, Yagyesh Srivastava <ysrivas at ncsu.edu>
>>> wrote:
>>>
>>>> By bro binary you mean " bro -i eth0" command?
>>>> I can see that when I give this command it's listening on eth0
>>>> interface. It initially gave me a warning saying due to NIC checksum it is
>>>> receiving bad checksum packets so it will discard it.
>>>> So I ran the above command with -C option.
>>>> Is this what you were referring to?
>>>> Could you please help me understand what's the difference between this
>>>> command and broctl?
>>>>
>>>> Thanks and regards
>>>>
>>>> On Nov 23, 2016 4:54 PM, "anthony kasza" <anthony.kasza at gmail.com>
>>>> wrote:
>>>>
>>>>> Your VM may be using its loopback address for the connection to the
>>>>> local Apache server. If Bro is listening on eth0 (not the loopback
>>>>> interface) it won't see that traffic.
>>>>>
>>>>> As for the curl'ing of external sites, have you tried something basic
>>>>> like tcpdump just to make sure packets are moving? I'd also try running the
>>>>> Bro binary, without broctl, on an interface just to make sure Bro is
>>>>> compiled, happy, and seeing packets move.
>>>>>
>>>>> -AK
>>>>>
>>>>> On Nov 23, 2016 1:33 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have downloaded bro and built it on a VM, using configure, make and
>>>>>> make install.
>>>>>> Then i ran broctl install and deploy.
>>>>>> when i run broctl using "sudo broctl start" and subsequently issue
>>>>>> "sudo broctl status", it shows bro running as standalone on localhost.
>>>>>>
>>>>>> my /nsm/bro/etc/nod.cfg file has
>>>>>> type = standalone
>>>>>> host = localhost
>>>>>> interface = eth0
>>>>>>
>>>>>> Now when i try to connect to internet using my vm browser
>>>>>> or i curl to localhost (which has apache server running and after
>>>>>> making node.cfg file to hear on interface loopback) in either of the cases
>>>>>> i cannot see any logs getting generated.
>>>>>>
>>>>>>
>>>>>> *can someone please help me with this issue?*I dont think bro is
>>>>>> sniffing on the correct interface , there is something trivial i am
>>>>>> guessing which is going wrong. Please provide any pointers if possible.
>>>>>>
>>>>>> Thanks,
>>>>>> Yagyesh
>>>>>>
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161123/dfaf8814/attachment.html 


More information about the Bro mailing list