how to run on trace files

Hi,

I am trying to run bro on trace file specifically on the tcpdump file provided in bro workshop.

url

http://www.bro-ids.org/bro-workshop-2007/exercises/exercise1.html

but I was unable run that giving me command not found.

sample of my output is

In the url

http://www.bro-ids.org/bro-workshop-2007/exercises/exercise1-solution.html

they asked to create local.bro

I created that file

Then they asked to run some analyzer

they asked to use setenv and bro -r

I used to them but giving me command not found.

loud@1006kro:/usr/local/bro$ sudo vim local.bro
loud@1006kro:/usr/local/bro$ ls
archive etc lib logs policy scripts site var
bin include local.bro perl reports share trace1.tcpdump
loud@1006kro:/usr/local/bro$ cat local.bro
redef local_nets: set[subnet] = {
10.20.1.0/24,
};
loud@1006kro:/usr/local/bro$ sudo setenv BROPATH =
/usr/local/bro/site/:/usr/local/bro/policy/:/usr/local/bro/policy/sigs
sudo: setenv: command not found
loud@1006kro:/usr/local/bro$ setenv BROPATH =
/usr/local/bro/site/:/usr/local/bro/policy/:/usr/local/bro/policy/sigs
bash: setenv: command not found
loud@1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm wierd
bash: bro: command not found
loud@1006kro:/usr/local/bro$

are those commands depend on the directory I am present.

In which directory do I need to run that command.

Thanks,
KM.

Setenv is the TCSH syntax for setting environment variables.

For bash, you do

BROHOME=/usr/local/bro
BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/sigs

Also, you need to set your path to include bro

PATH=/usr/local/bro/bin:$PATH

I am sorry I didnt get it. I am not that much familiar with linux commands .

I tried to do so but getting same output

loud@1006kro:/$ BROHOME = /usr/local/bro/
bash: BROHOME: command not found
loud@1006kro :/$ BROPATH = $/usr/local/bro/site
bash: BROPATH: command not found
loud@1006kro:/$ PATH = /usr/local/bro/bin:SPATH
bash: PATH: command not found

Thanks&Regards,
Kanthi Myneni.

On Thu, Dec 20, 2007 at 02:40:06PM -0500, kanthi myneni composed:

I am sorry I didnt get it. I am not that much familiar with linux commands .

I tried to do so but getting same output

loud@1006kro:/ BROHOME = /usr/local/bro/ bash: BROHOME: command not found loud@1006kro:/ BROPATH = /usr/local/bro/site bash: BROPATH: command not found loud@1006kro:/ PATH = /usr/local/bro/bin:SPATH
bash: PATH: command not found

No spaces, sorry

BROHOME=/usr/local/bro/
BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/policy/sigs
PATH=/usr/local/bro/bin:$PATH

Thanks a lot for your reply.

It worked. But I am having problem in running bro . It is giving me the following error

loud@1006kro:/usr/local/bro/bin$ sudo bro -r trace1.tcpdump local tcp alarm weird
Password:
sudo: bro: command not found
loud@1006kro:/usr/local/bro/bin$ sudo ./bro -r trace1.tcpdump local tcp alarm weird
line 1: error: can’t open bro.init
loud@1006kro:/usr/local/bro/bin$

Giving me the above error.

Thanks&Regards,
Kanthi Myneni.

THe can't find "bro.init" error says the bropath is messed up

type the command: which bro
printenv BROHOME
printenv BROPATH

On Thu, Dec 20, 2007 at 04:30:22PM -0500, kanthi myneni composed: