Is there reference page on all the default installation directory
locations are by any chance? $PREFIX just makes it a very long process
establishing where all the files are located. If not, I think this would
be excellent for beginners like me.
Also, I have created a bridge interface that I want to monitor using
ubuntu/bro by connecting two hosts, for some reason I can't seem to
generate any logs in /usr/local/bro/logs/ (no 'current' folder when bro
is started as in the documentation). Is this even possible to monitor a
bridge interface using bro on the same host? I have already changed
node.cfg interface to br0.
There are no tutorials nowhere on how to actually get started, tried to
follow the instructions but still no luck, ive been wasting days on
this. If someone could point me in the right direction i'll greatly
Check this link for info on
the bro directory structure that may help you: https://www.bro.org/sphinx/install/release-notes.html#script-organization
As far as monitoring a bridged interface, there should be no problem, as long as bro can access the interface. If you’re not running as root, see: https://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user
Does tcpdump provide expected output when run against br0?
Hope this helps,
Thanks a lot just what I needed, trying to search for everything just takes up too much time.
Running as root is just sudo -s then broclt right or do I need to change it as stated in that link you sent me?
No tcpdump does not work against br0 but it runs agains eth0 and eth1. I have assigned a IP address to br0, is this even required? I tried to use OpenBSD to accomplish a network tap but brconfig that configures the bridge is not in the operating system for some reason. I gett an error saying its not recognised, after many hours of searching I couldn’t find a solution.
Linux is a pain in the backside, it takes up soo much time trying to find solutions to problems.
This is my layout, I have put everything on the same subnet to just to get things started.
VM ethernet adapter(my PC)
192.168.10.5 - no gateway
br0 192.168.10.1 - no gateway
eth0 192.168.10.2 - no gateway
eth1 192.168.10.3 - no gateway
192.168.10.6 - gw 192.168.10.2
Linux Kali Attacker
192.168.10.7 - gw 192.168.10.3
Ok so I removed eth0/1 from network connections, the ethernet connection so br0 has br0 slave 1 and 2 which has removed the IP addresses and is now using MAC addresses on eth 0/1.
Now when I ping the br0 192.168.10.1 I get activity using tcpdump, however, when I ping hosts Attacker and Victim from eachother there is no activity on br0.
Assuming that you’re just doing the bonding for monitoring purposes, you could also have bro monitor multiple interfaces, see: http://mailman.icsi.berkeley.edu/pipermail/bro/2014-January/006477.html
Running bro as root is possible, but could be a security risk - the setcap method is safer & better.
Hope this helps,