[Zeek] Bro upgrades, and plugins vs. packages, and bro-pkg

James Lay jlay at slave-tothe-box.net
Thu Dec 20 12:55:40 PST 2018 

So here we go.  I've attacked this with my lab and here are some 
thoughts/results.  Current state:

bro-2.6 installed from source (config option --prefix=/opt/bro)
bro-af_packet-plugin ja3 intel-seen-more domain-tld installed via 
bro-pkg

after upgrading to bro-2.6.1 errors like the below:

fatal error in /opt/bro/share/bro/base/init-bare.bro, line 1: cannot 
load plugin library 
/opt/bro/lib/bro/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: 
/opt/bro/lib/bro/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: 
undefined symbol: bro_version_2_6_plugin_6

next up, remove and reinstall bro-af_backup-plugin:

root@# bro-pkg remove bro-af_packet-plugin
The following packages will be REMOVED:
   bro/j-gras/bro-af_packet-plugin

Proceed? [Y/n] y
Removed "bro/j-gras/bro-af_packet-plugin"
root@# bro-pkg install bro-af_packet-plugin
The following packages will be INSTALLED:
   bro/j-gras/bro-af_packet-plugin (1.3.0)

Proceed? [Y/n] y
Running unit tests for "bro/j-gras/bro-af_packet-plugin"
[  0%] scripts.show-plugin ... failed
   % 'bro -NN Bro::AF_Packet > output' failed unexpectedly (exit code 1)
   % cat .stderr
   fatal error in /opt/bro/share/bro/base/init-bare.bro, line 1: cannot 
load plugin library 
/root/.bro-pkg/testing/bro-af_packet-plugin/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: 
/root/.bro-pkg/testing/bro-af_packet-plugin/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: 
undefined symbol: bro_version_2_6_plugin_6

1 of 1 test failed
error: bro/j-gras/bro-af_packet-plugin tests failed, inspect contents of 
/root/.bro-pkg/testing/bro-af_packet-plugin for details
Proceed to install anyway? [N/y] n
Abort.

a thought occurs....modify /root/.bro-pkg/config -> bro_dist = 
/build/bro-2.6.1

all works.  So long story short, the upgrade process going forward 
should be:

./configure, make, make install
bro-pkg autoconfig
bro-pkg refresh

on from there.  It might be worthwhile to annotate somewhere in the 
README or create an UPGRADE in the tarball to reflect that bro-pkg will 
need some attention as well during the upgrade process.  Thank you!

James

More information about the Zeek mailing list