Hi everyone
I am new to Bro IDS 1.4, I have tried to install it on CentOs platform. well, at the beginning It was difficul, however I manage to install it with the same instructions
./configure
make
make install
make install-brolite
bro-lite did a very well job. It created all the directories in bro home directory /usr/local/bro
[bro@localhost bro]$ ls
archive bin etc include lib logs reports scripts share site var
the problem I am facing is that when I try to start bro using bro.rc file with this {BROHOME}/etc/bro.rc start it fails and gives me this erro
[bro@localhost ~]$ /usr/local/bro/etc/bro.rc start
bro.rc: Starting …bro.rc: Failed to start Bro
line 1: error: can’t open localhost.localdomain.bro
… FAILED
Note: i have tried to change my host name to localhost.localdomain.bro
Any ideas please… help
* jags0nhak3r@engineer.com <jags0nhak3r@engineer.com> [2009-10-29 03:34:51 -0400]:
Hi everyone
I am new to Bro IDS 1.4, I have tried to install it on CentOs platform. well, at the beginning It was difficul, however I manage to install it with the same instructions
./configure
make
make install
make install-brolite
bro-lite did a very well job. It created all the directories in bro home directory /usr/local/bro
[bro@localhost bro]$ ls
archive bin etc include lib logs reports scripts share site var
the problem I am facing is that when I try to start bro using bro.rc file with this {BROHOME}/etc/bro.rc start it fails and gives me this erro
[bro@localhost ~]$ /usr/local/bro/etc/bro.rc start
bro.rc: Starting ..........bro.rc: Failed to start Bro
line 1: error: can't open localhost.localdomain.bro
... FAILED
Note: i have tried to change my host name to localhost.localdomain.bro
Any ideas please.. help
Hello,
Bro is searching for a file called "localhost.localdomain.bro" in the
various path defined in your BROPATH environment variable.
So two questions :
Do your file exists somewhere ?
Is it in a directory specied in "BROPATH" ?
Mine is defined as follow into my .bashrc :
export BROPATH=/opt/share/bro/policy
Cheers,
Jean-Philippe.
Hi,
Thanks for your Re
I figured out that localhost.localdomain.bro is file and BRO needs to open it when it starts. that file should be located at {BROPATH}, that is right.
here is my BROPATH
Bro policy paths
BROPATH="/usr/local/bro/share/bro/site:/usr/local/bro/share/bro:/usr/local/bro/share/bro/sigs:/usr/local/bro/share/bro/time-machine"
export BROPATH
Filename of the Bro start policy. Must be located in one of the directories in $BROPATH
BRO_START_POLICY=“localhost.localdomain.bro”
I wonder why the so called file localhost.localdomain.bro is not created in BROPATH by default. Thus, I created it in this PATH
/usr/local/bro/share/bro manually and BRO successfully started.
I also would like to know what is the purpose of that file what should be in it?
btw,
1- what and how should I start to capture packets, analyze them?
2- what commands shall I run where the analysis files are stored?
I read in the BRO user manual, it mentions that to run BRO type the following comman
bro -[options]
but when I run bro, which is a binary file, I get bash: bro: command not found
what is wrong with my configuration…
Please I need assistance,
Regards
* jags0nhak3r@engineer.com <jags0nhak3r@engineer.com> [2009-10-29 21:51:33 -0400]:
Hi,
Thanks for your Re
I figured out that localhost.localdomain.bro is file and BRO needs to open it when it starts. that file should be located at {BROPATH}, that is right.
here is my BROPATH
# Bro policy paths
BROPATH="/usr/local/bro/share/bro/site:/usr/local/bro/share/bro:/usr/local/bro/share/bro/sigs:/usr/local/bro/share/bro/time-machine"
export BROPATH
# Filename of the Bro start policy. Must be located in one of the directories in $BROPATH
BRO_START_POLICY="localhost.localdomain.bro"
I wonder why the so called file localhost.localdomain.bro is not created in BROPATH by default. Thus, I created it in this PATH
/usr/local/bro/share/bro manually and BRO successfully started.
I also would like to know what is the purpose of that file what should be in it?
btw,
1- what and how should I start to capture packets, analyze them?
2- what commands shall I run where the analysis files are stored?
I read in the BRO user manual, it mentions that to run BRO type the following comman
bro -[options]
but when I run bro, which is a binary file, I get bash: bro: command not found
what is wrong with my configuration...
Please I need assistance,
Regards
Hello,
Bro is very good in various things and one of them is the customisation of
it on behalf of your specific environment.
You may need to tweak the NIDS in order to make it in accordance with your
network, etc. so the reason of such a file (localhost.localdomain.bro).
In order to capture data, you need to specify what do you want to catch so here
are the various *.bro.
my config file (bro.cfg) have :
BRO_START_POLICY="mygw"
and this file contains only one line :
@load brolite
("brolite.bro" is found in one of the directory specified by BROPATH).
Considering the analyze, apart from the BROPATH we talk about before, there's
too a BROLOGS's environment variable.
Here is mine :
# Directory containing Bro logs
BROLOGS="/opt/share/bro-1.4/logs"
export BROLOGS
So as soon as bro begins, it'll report various things in this directory.
I've some (perhaps) stupid questions :
Did you setup a "bro.cfg" (you can do it using "bro_config").
And do you run bro using "bro.rc" ?
With regards,
Jean-Philippe.