bro access to ether on ubuntu

ok, i give. i realize that i need to have a bro vm on each of the
physical nodes in a three-node ganeti cluster and run a bro cluster.

can i do this with only three vms for a three-node cluster, i.e. one of
the bro vms be both a worker and the central manager with broctl? or
does the manager need to be a fourth vm?


ok, to put it directly, is it reasonable, presuming i can give the bro
vms whatever cpus they need, and the load is not heavy, to do the


[ ubuntu 16.04 on ganeti cluster ]

so i figured the config out


Hi Randy,

I wrote a Bro plugin that takes care of the ’setcap’ tasks after each deploy. Just adjusts the paths to reflect your Bro instal. Let me know if you run into any issues with it.


hi dave,

aha!> broctl install
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating ...
updating nodes ...
setcap plugin: executing setcap on each node: - Executing setcap: SUCCESS - Executing setcap: SUCCESS - Executing setcap: SUCCESS

thank you!!


Hi Dave,

First of all, thank you for your plugin, it is very useful! I am using since a while.

Last time I used it I ran into an error and had to change the code to see it.
In the last line of the plugin I appended the reason of the FAIL when it fails:

self.message("{0} - Executing setcap: {1}".format(, ‘SUCCESS’ if success else 'FAIL ’ + output[0]))

The reason was:
sorry, you must have a tty to run sudo

This is linked to the sudoers setting:
Defaults requiretty

In order to fix it I couldn’t find a workaround using the command given to the plugin (using -tt for instance). I just commented the line using visudo.
Any ideas to make both compatible are still welcome!

Hope it helps!
Best regards,
Pierre Gaulon.

Thanks for the feedback Pierre, what OS and version are you running Bro on?

Modify the sudoers file to add an additional line to disable the tty requirement specifically for setcap.

bro ALL=NOPASSWD: /sbin/setcap
Defaults!/sbin/setcap !requiretty

Let me know if that takes care of the issue and I’ll get my documentation updated.


The workers are running on CentOS Linux release 7.2.1511 (Core).

The Defaults!/sbin/setcap !requiretty fixed the problem!

Thanks for your help!
Best regards,
Pierre Gaulon.

fwiw, at my age, i leave a docco trail because i will forget what the
heck i did a day later. so the hack i finally used is available at