Hi,
Hello,
Thank you so much for your reply. You were correct. I did not need the
--with-package= part (I had thought maybe it was required for the it to
complile with the linux include directory...that is not true). I do
still have some questions and some clarifications to my earlier post:
when installing I've typed the following:
./configure
make
make installthe response I get from make install is as follows:
>bro /usr/local/sbin
> make: bro : Command not found
> make: *** [install] Error 127
oops you're right, sorry. It appears make install is broken at this
point. We're not typically running make install here because Bro can run
just fine from its build tree, but this will certainly need to be fixed.
Also another question. In the logs I am seeing "dropped 500 packets out
of 504" or similar...my guess is that my machine is not fast enough for
the event engine to process everything as it is being seen on the wire
so some packets are being dropped without analysis? I am using a nessus
scanning script against the network to see the response from bro....and
it tends to send out the packets very fast...this may be an unrealistic
attack since most attacks would not be as "noisy"...but it is a good way
of testing the system to see if it is "reading" packets and alerting. I
also have the capacity to upgrade double the system memory and will be
doing that soon.
Well even if Nessus sends quickly, Bro shouldn't miss 99% of the packets
If the counters you're referring to are the ones pcap reports, then
the reason may be that packet counters are handled differently on Linux
and BSD. Do not trust these counters on Linux.
Good luck,
Christian.