Bro problem - no software.log written

Hi,

How can I debug why no software log is written…?

I use Bro 2.1 compiled from source.

Thanks,

Omer

Are you running against a pcap or sniffing an interface?

If sniffing an interface, as a first step check that the software scripts are being loaded:

$ pwd
/path/to/bro/logs/2013-08-28

$ zgrep software loaded_scripts.16:59:36-17:00:00.log.gz
/usr/local/bro/share/bro/base/frameworks/software/load.bro
/usr/local/bro/share/bro/base/frameworks/software/./main.bro
/usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro
/usr/local/bro/share/bro/policy/frameworks/software/version-changes.bro
/usr/local/bro/share/bro/policy/protocols/ftp/software.bro
/usr/local/bro/share/bro/policy/protocols/smtp/software.bro
/usr/local/bro/share/bro/policy/protocols/ssh/software.bro
/usr/local/bro/share/bro/policy/protocols/http/software.bro

If running against a pcap, add local to the end of your command:
$ bro -r my.pcap local

-kb

If sniffing an interface, as a first step check that the software scripts

are being loaded:

$ pwd
/path/to/bro/logs/2013-08-28

$ zgrep software loaded_scripts.16\:59\:36-17\:00\:00.log.gz
/usr/local/bro/share/bro/base/frameworks/software/__load__.bro
/usr/local/bro/share/bro/base/frameworks/software/./main.bro
/usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro
/usr/local/bro/share/bro/policy/frameworks/software/version-changes.bro
/usr/local/bro/share/bro/policy/protocols/ftp/software.bro
/usr/local/bro/share/bro/policy/protocols/smtp/software.bro
/usr/local/bro/share/bro/policy/protocols/ssh/software.bro
/usr/local/bro/share/bro/policy/protocols/http/software.bro

I have included the detect-webapps script in local.bro. It is supposed to
show the logs in software.log. But the logs are not see.

I checked that the software scripts are being loaded.

I am not running against a pcap.

Is there any way to debug why software.log is not written. Also, is there
any other way I can see logs generated by detect-webapps.bro script which
uses signatures.

Thanks.

Make sure to set your Sites::local_net variable. If you set it to
0.0.0.0/0 you should get an entry in software.log for every connection
that bro can find qualifying entries for.

That will have side effects in other areas of Bro. If you want to log all software seen, it's probably better to use…

redef Software::asset_tracking = ALL_HOSTS;

Keep in mind though that this will have consequences in memory because it will store all of the seen software in memory.

  .Seth

Figured it'd have side effects, didn't really matter for my use cases.
However, the ALL_HOSTS setting is useful, and I didn't know that.

Thanks!

Hello,
the ALL_HOSTS setting is not useful in my case. In my case, I want to detect some webapps. I have enabled the detect-webapps.bro script. But logs are not created. Am I missing anything else that needs to be changed?

Thanks.

Are you loading the policy/protocols/http/detect-webapps.bro script? That script isn't very good either, so don't expect anything magic. :slight_smile:

  .Seth