I’m trying to become familiar with Bro and have installed the stable release 1.2.1 on an Ubuntu VMware image running a 2.6 kernel.
I have been following the documentation and wanted to see if I have everything installed properly by first reading a pcap to generate an alarm. I was looking at the reference manual, specifically Chapter 2: Getting Started 18.104.22.168 Traffic traces. I wanted to emulate the:
bro -r example.ftp-attack.trace brolite
where I was supposed to see a connection summary in stdout and some kind of alarm. I didn’t find that particular pcap with the installation as the documentation says, but used a pcap from an earlier bro package - ftp-site-exec.trace. I ran the bro above command using this pcap, but I don’t see any output at all. I’m familiar with Snort so I’ve used an IDS before. I just can’t figure out what I might be doing wrong. Can someone please help?
Thanks a lot - Jesse