[Bro] Where is my conn.log?

Hosom, Stephen M hosom at battelle.org
Mon Nov 12 12:25:17 PST 2018


Check the reporter.log. I highly suspect that it will have an error related to checksum offloading.


You'll want to try running bro with the -C option to see if that produces logs. If it does, then you'll need to modify your interface configuration. You can do this by installing the interface setup package from NCSA: https://github.com/ncsa/bro-interface-setup or manually configuring your interface along the lines of the guide located here: https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html



Security Onion: When is full packet capture NOT full packet capture?<https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html>
blog.securityonion.net
I was looking at some packets recently and noticed the Wireshark message "Packet size limited during capture". &nbsp;This was strange since the p...


________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Mark Krenz <mkrenz at iu.edu>
Sent: Monday, November 12, 2018 2:47:53 PM
To: bro at bro-ids.org
Subject: [Bro] Where is my conn.log?

Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.


I've inherited a Bro 2.5.5 setup from someone else and am coming to it after it's been running for a while without producing any conn or other protocol logs.  I've tried restarting Bro and redeploying, but the only logs that get started are

communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log

None of these logs are filling up with anything useful or indicating what the problem may be. The only useful message is "non_ip_packet_in_ethernet" in the weird.log. That seems to point to a network issue rather than a Bro issue, but I'd like to rule out a Bro issue first if possible. At one point this setup did produce useful logs but apparently it just stopped at some point and I'm not sure why. The only thing somewhat unique about this setup is that at one point it required me to use the setting 'redef encap_hdr_size=10;' to handle an incompatibility between Bro and a vlan technology this network uses. I've also verified that the taps that Bro is listening on are seeing actual traffic by using tshark, which is able to decode the protocols.

Any suggestions as to where to start and how to diagnose this?

Thanks,

Mark



More information about the Bro mailing list