I am back onto bro, and still addressing some issues.
When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory.
Does anyone know offhand where I should look for these files.
I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install… but all of my nodes crash upon issuing the START command from broctl.
I also repointed bro using ln –s PREVIOUS-WORKIN-BRO bro, but the same behavior persists.
Anyone run into this?
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory.
It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro. What files did you find outside that dir?
Does anyone know offhand where I should look for these files.
This should be all of them:
/usr/local/bro/share/bro/site/local.bro
/usr/local/bro/share/bro/site/local-manager.bro
/usr/local/bro/share/bro/site/local-proxy.bro
/usr/local/bro/share/bro/site/local-worker.bro
/usr/local/bro/etc/broctl.cfg
/usr/local/bro/etc/networks.cfg
/usr/local/bro/etc/node.cfg
/usr/local/bro/etc/broccoli.conf
I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install… but all of my nodes crash upon issuing the START command from broctl.
Copying the spool dir between installs isn't typical. But you could use `broctl diag` to get more info about why the nodes don't start.
- Jon
When I do a broctl check all nodes comeback as OK
When I do a broctl diag I get:
[worker-3-8]
No gdb installed.
==== No reporter.log
==== stderr.log
/usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
==== stdout.log
unlimited
unlimited
unlimited
==== .cmdline
-i eth4 -U .status -p broctl -p broctl-live -p local -p worker-3-8 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
BROPATH=/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/site::/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=worker-3-8
==== No .status
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations...
Where is the BROPATH set?
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
There also seems to be an issue with your libpcap install. Whether it's not installed or bro is not looking in the right directory, if bro can't find libpcap, you won't get anywhere.
-Sam
Could this be due to the use of PFRING?
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
/usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
That usually means the linker can't resolve a path to that library. Did you link against a libpcap that's installed in a non-standard path? If `ldd /usr/local/bro/bin/bro` tells you it can't find libpcap, it's either really missing from your system or you need to teach the linker how to find it in a non-standard path.
In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations...
Where is the BROPATH set?
Check your etc/broctl.cfg to see if the paths are as you expect. I think at least SpoolDir goes in to BROPATH and if you just copied the file from a previous install, then it's going to be wrong.
- Jon
Ahhh,
We are running pfring, which is located in /usr/local/pfring/lib which shows up doing an ldconfig -v
/usr/local/pfring/lib:
libpfring.so -> libpfring.so
libpcap.so.1 -> libpcap.so.1.1.1
But I am seeing that libpcap.so.0.8 is being referenced in the error, is this the issue which has been plaguing me?
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
OK, now I think I have that figured out.
I ran ./configure --prefix=/usr/local/bro --with-pcap=/usr/local/pfring
Then make, make install, chown -R etc.
It is no longer giving me the libpcap in diag, but I am now getting:
fatal error: /usr/local/bro/bin/bro: problem with interface eth4 - pcap_open_live: eth4: You don't have permission to capture on that device (socket: Operation not permitted)
Am I getting closer, or am I further ruining this...
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
What user were you `chown`ing things to? You'll have to do something extra for non-root users to be able to capture packets, see [1].
- Jon
[1] http://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user
That is just what I was looking at... everything is running as user bro...
Thanks much...
James Richards
Office of Security
Wisconsin Department of Administration
608.224.3880
You need to use the setcap utility to allow the Bro user the ability to open an interface promiscuously.