Just getting started

I just installed Bro (on FreeBSD 8.3) and got it up and running. I'm working my way through the docs, and I decided to do the local.bro edit for the Invalid SSL Certs that's described in the docs.

However, when I launched broctl and typed check, I got this: waiting for lock ..................................cannot get lock

I got the same thing when I typed stop as well as diag.

When I started broctl initially, I typed "install" and then "start". Then I closed broctl. Apparently you're supposed to leave broctl running? If so, that seems rather inconvenient.

You must use sudo: "sudo broctl check". Followed by rinse, spin (install, restart). :wink:

Unless you're already root.

That message is the result I always get when I forget sudo.

No, it's not supposed to be running, however it sounds like a previous
run didn't terminate. Did you do the crontab entry as described in the
docs? If so, it could be that the cron job was just running as you
tried to check the config; there can only be one broctl at a time. But
if the problem persists, an earlier broctl process probably hangs;
check with ps and just kill it.

Robin

You must use sudo: "sudo broctl check". Followed by rinse, spin (install,
restart). :wink:

Unless you're already root.

I am.

That message is the result I always get when I forget sudo.

Good to know. In my case it was caused by exiting out of broctl by using Control-C instead of typing exit. Once I figured that out, all was well.

Now if I can just figure out what to do with bro..... :slight_smile:

You must use sudo: "sudo broctl check". Followed by rinse, spin (install,
restart). :wink:

Unless you're already root.

I am.

I actually avoid running bro as root. I create a bro user, and have it run as that instead. Apart from making sure that <PREFIX> has the right permissions, I just need to set the privileges as mentioned in the documentation[1]:

sudo setcap cap_net_raw,cap_net_admin=eip <PREFIX>/bin/bro

If anyone's interested, I have a very much work-in-progress Puppet module for setting up the Bro directories with the proper permissions.

  --Vlad

1 - <http://www.bro-ids.org/bro-workshop-2011/exercises/getting-started/index.html>

A Puppet module would be really good. I too run as “bro” and it’s obnoxious because after the beautiful simplicity of “broctl install” to update code for each node, I then have to do a bash loop to SSH in to each node and manually setcap, and only then can I perform the “start.”