bro loggers

Feeling empowered by having attended the recent BRO workshop, I decided I wanted to make a change to the scan.bro policy script. I recall that I heard that I should not change any scripts in the /usr/local/bro/policy directory. Rather I should move the desired script to /usr/local/bro/site and change the name to local.scan.bro for example. Having done this, when I start bro I get ...

[root@rhyolite ~]# /etc/init.d/bro start
bro.rc: Running as non-root user root
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/local.scan.bro, line 1: error: can't open scan

Hummm, looking at permissions in /usr/local/bro/site I see ...

[root@rhyolite rreitz]# ls -l /usr/local/bro/site
total 452
-rw-r--r-- 1 root root 6 Apr 17 00:55 incident_counter
-rw-r--r-- 1 root root 13639 Aug 20 09:37 local.scan.bro
-rw-r--r-- 1 root root 464 Jul 24 00:42
-rw-r--r-- 1 root root 2026 Aug 14 14:49
-rw-r--r-- 1 root root 424977 Aug 6 09:47 signatures.sig
-rw-r--r-- 1 root root 926 Jul 25 11:06 watchdarknets.bro

The script /usr/local/bro/site/local.scan.bro begins with ...

[root@rhyolite ~]# head /usr/local/bro/site/local.scan.bro
# $Id: scan.bro 4613 2007-07-06 04:16:51Z vern $

@load notice
@load port-name
@load hot
@load trw-impl

redef enum Notice += {
         AddressDropped, # connectivity w/ given address has been dropped
         AddressDropIgnored, # a request to drop connectivity has been ignored

One more question. In scan.bro I want to call a script that will create an event in Fermilab's issue tracker whenever a scanner is found. I used the drop_connectivity_script variable to point to my script. Will the system() call use the existing $PATH to find the script? Should the script be in /usr/local/bro/scripts directory?

I'm using Bro Version 1.3.2. My bro start policy looks like this...

[root@rhyolite ~]# cat /usr/local/bro/site/
# $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $

# This file is intended for host-specific Bro policy.

# What is host-specific? It can be anything that is not the default
# after installation. This is the place to make tweaks and changes
# to modify policy to suit your network environment and preferences.

# The following causes Bro to load local.XXX.bro anytime you
# "@load XXX" (along with first loading XXX.bro).

Hmmm.... I think your scripts actually look ok and I would think
this should work. Can you try it without the bro.rc wrapper, i.e.,
set BROPATH to your policy directories and run Bro manually with the
start policy file?