Now I downloaded the the current release 0.9 and the installation completed.
Does it version is good to use ?
Yes, I believe the CURRENT release is fairly stable at this point.
Vern
Hi!
I tried to test the tcpdump -w, following the steps bellow:
Bro can also be run on tcpdump -w files instead of on live traffic. To do this, you must set a BROPATH enviroment variable to point at your set of policy scripts. For example:
setenv BROHOME /usr/local/bro
setenv BROPATH $BROHOME/policy:$BROHOME/site
bro -r dumpfile brohost
I used those commands:
BROHOME=/usr/local/bro
BROPATH=/usr/local/bro/policy:/usr/local/bro/site
When I tried this command: “bro -r /home/xxxx/tcpdump.teste scan” , I received this message:
line 1: error: can’t open bro.init
What can I do to resolve this problem?
Thanks,
Angelita
This error usually indicates that the $BROPATH variable does not point to the policy directory (where, among others, the file bro.init is located).
Hope this helps,
Holger
Holger Dreger ** http://www.net.in.tum.de ** Tel.: +49 (0)89 289-18006
Lehrstuhl fuer Netzwerkarchitekturen, Technische Universitaet Muenchen
Hi,
I used those commands:
BROHOME=/usr/local/bro
BROPATH=/usr/local/bro/policy:/usr/local/bro/site
sorry, I overlooked one detail: You have to export the BROPATH variable in order to make bro work. You only set the variable for the shell itself, not for its executed commands.
So in sh or bash use:
export BROHOME=/usr/local/bro
export BROPATH=/usr/local/bro/policy:/usr/local/bro/site
Holger
Thanks, I put the two lines in .bash_profile:
export BROHOME=/usr/local/bro
export BROPATH=/usr/local/bro/policy:/usr/local/bro/site
Now, when I run this command to test: /usr/local/bro/bin/bro -r
/home/angelita/test.trace scan
I received this message: /usr/local/bro/bin/bro: problem with trace file
/home/angelita/test.trace - fread: Inappropriate ioctl for device
I have a question, what kind of file I have to create to be a tracefile? Do
I have to follow some tips?
Thanks
Angelita
I believe that's a pcap error message passed to Bro, and I seem to
recall seeing that error message when the trace file you're passing is
empty. Could that be possible? In any case, you want that file to be a
pcap trace file, typically generated using tcpdump -w.
http://mailman.icsi.berkeley.edu/pipermail/bro/2004-July/001545.html
Cheers,
Christian.
Now, I tested using this commands:
/usr/local/bro/bin/bro -r /home/angelita/test.trace tcp.bro
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
Saving state...
/usr/local/bro/bin/bro -r /home/angelita/test.trace scan.bro
Reading .state/state.bst ...
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
Saving state...
In the logs directory /usr/local/bro/logs, I have logs about my scan tests,
but if I run the site-report.pl and mail_reports.sh scripts, they don't show
the scans, for example.
What the best form to resolve this ? Now the report shows the IP ("attack
machine") , but doesn't show the scans ou incidents details.
Thanks
I test the tcpdump -w only to test, but I will run Bro on a live traffic.
Do I need to edit some policies files, like scan.bro, tcp.bro or others
files?
Thanks
No, it doesn't matter to the policy scripts whether the traffic comes
from trace files or a live network. The only difference is in the way
you start Bro (-i vs -r).
Cheers,
Christian.