help required in logs with bro

Hi,

I have downloaded bro and built it on a VM, using configure, make and make install.
Then i ran broctl install and deploy.
when i run broctl using “sudo broctl start” and subsequently issue “sudo broctl status”, it shows bro running as standalone on localhost.

my /nsm/bro/etc/nod.cfg file has
type = standalone
host = localhost
interface = eth0

Now when i try to connect to internet using my vm browser
or i curl to localhost (which has apache server running and after making node.cfg file to hear on interface loopback) in either of the cases i cannot see any logs getting generated.

can someone please help me with this issue?
I dont think bro is sniffing on the correct interface , there is something trivial i am guessing which is going wrong. Please provide any pointers if possible.

Thanks,
Yagyesh

Your VM may be using its loopback address for the connection to the local Apache server. If Bro is listening on eth0 (not the loopback interface) it won’t see that traffic.

As for the curl’ing of external sites, have you tried something basic like tcpdump just to make sure packets are moving? I’d also try running the Bro binary, without broctl, on an interface just to make sure Bro is compiled, happy, and seeing packets move.

-AK

By bro binary you mean " bro -i eth0" command?
I can see that when I give this command it’s listening on eth0 interface. It initially gave me a warning saying due to NIC checksum it is receiving bad checksum packets so it will discard it.
So I ran the above command with -C option.
Is this what you were referring to?
Could you please help me understand what’s the difference between this command and broctl?

Thanks and regards

Broctl wraps the Bro binary and adds some niceties like config management, worker management, log rotation, etc. The Bro binary is what processes packets, interprets scripts, and writes logs.

If you run ‘bro -Ci eth0’ and browse a webserver over eth0, bro should spit out logs in your current working directory. If not, Bro is either not seeing packets or something else is wrong.

-AK

I’ve put the list back on CC.

Broctl will write logs wherever it’s configured to. I’m not familiar with the Security Onion distribution enough to troubleshoot it. Bro seems to be working correctly. My guess is you need to fiddle with the broctl configuration security onion is using.

-AK

Sure, I am sorry, I dont quite understand what you mean by raising an event and defining an event.

As i understand the incoming packets are picked by bro and then some sort of stream(Delivered Stream) is formed (not sure here)and then go through the process of anaylzer tree which then figures out based on the signature that a particular packet is HTTP or not(lets say). Then an HTTP event is generated and if the corresponding event handler is defined then the event is put in events queue.
When the event reaches head of line in the queue then it is processed and the event handler feeds corresponding data structures which will be used by scripts as well, and the script is notified by the event handler of the event having occurred.

so with respect to HTTP what function does HTTP.cc perform here, and what does events.bif.cc perform?

It would be great if you can give some idea here.

I am trying to put some debug logs in each of the functions in events.bif.cc and HTTP.cc (the debug logs are just opening a file and printing in that file). But all i can see printed is bro_init. Any idea as to why?

Thanks and regards,