DNS_Mgr.o(.text+0x2e61): In function `DNS_Mgr::GetFds(int*, int*, int*)':
/home/dom/Desktop/bro-1.1/src/DNS_Mgr.cc:933: undefined reference to
`nb_dns_fd'
Try the appended.
Vern
Index: DNS_Mgr.cc
Vern Paxson wrote:
DNS_Mgr.o(.text+0x2e61): In function `DNS_Mgr::GetFds(int*, int*, int*)':
/home/dom/Desktop/bro-1.1/src/DNS_Mgr.cc:933: undefined reference to `nb_dns_fd'Try the appended.
Vern
Index: DNS_Mgr.cc
--- DNS_Mgr.cc (revision 3286)
+++ DNS_Mgr.cc (working copy)
@@ -930,7 +930,9 @@
void DNS_Mgr::GetFds(int* read, int* write, int* except)
{
+#ifdef HAVE_NB_DNS
*read = nb_dns_fd(nb_dns);
+#endif
}
double DNS_Mgr::NextTimestamp()
Vern,
1. That's done it so thanks very much.
2. "make install" installed everything as root so I'm having to run bro as root.
3. bro_config couldn't create a "bro" user. The command /usr/sbin/pw doesn't exist on my linux system.
# add user to group wheel at the same time
/usr/sbin/pw useradd $BRO_USER_ID -d $BROHOME -q -n $BRO_USER_ID
4. Something not quite right with either the install or the documentation:
4.1 Starting Bro
Bro is automatically started at boot time via the bro.rc script, ( located in /usr/local/bro/etc and /usr/local/etc/rc.d on FreeBSD or /usr/init.d on Linux ) To run this script by hand, type:
I'm running linux but the start script is located here:
[root@tility bro]# ls /usr/local/etc/rc.d/
bro.sh*
Dominic.
Vern,
1. That's done it so thanks very much.
Cool.
2. "make install" installed everything as root so I'm having to run bro
as root.
I don't understand -- who owns the installed files is determined by who
runs make install. I'd normally hope that everything is installed as
root. How does that prevent you from running bro non-root?
If you want to do packet capture you'll likely be running it as root
anyway, if you want to process traces you don't need root, and if you
want to run a Bro-Bro communications node you can use high ports to
avoid root.
I can't comment on your point 3.
4. Something not quite right with either the install or the documentation:
Many things aren't quite right with the documentation. 
Cheers,
Christian.
Christian Kreibich wrote:
Vern,
1. That's done it so thanks very much.
Cool.
2. "make install" installed everything as root so I'm having to run bro as root.
I don't understand -- who owns the installed files is determined by who
runs make install. I'd normally hope that everything is installed as
root. How does that prevent you from running bro non-root?
I quote from the Bro Quick Start Guide:
"The Bro-Lite configuration script can be used to automatically configure Bro for you. It checks your system's BPF settings, creates a 'bro' user account, installs a script to start bro at boot time, and installs a number of cron jobs to checkpoint bro every night, run perioidic reports, and manage log files."
and
" User id to install and run Bro under [bro]
bro_config will create a new user account with this username if the user does not exist."
I did make install as root and then make install-brolite. Should I not have done make install but make install-brolite only?
If you want to do packet capture you'll likely be running it as root
anyway, if you want to process traces you don't need root, and if you
want to run a Bro-Bro communications node you can use high ports to
avoid root.
Ok but I'm confused in that case. What is the point of creating the user bro?
I can't comment on your point 3.
Should bro_config be amended to use useradd for linux systems rather than pw which presumably is a freebsd command? But see my comment above about the need for a user called bro in the first place.
4. Something not quite right with either the install or the documentation:
Many things aren't quite right with the documentation.
Ok I could send a patch for the documentation but I wonder if this is an isolated case or whether this happens for all linux installs?
>> 2. "make install" installed everything as root so I'm having to run bro
>> as root.
>
> I don't understand -- who owns the installed files is determined by who
> runs make install. I'd normally hope that everything is installed as
> root. How does that prevent you from running bro non-root?I quote from the Bro Quick Start Guide:
"The Bro-Lite configuration script can be used to automatically
configure Bro for you. It checks your system's BPF settings, creates a
'bro' user account, installs a script to start bro at boot time, and
installs a number of cron jobs to checkpoint bro every night, run
perioidic reports, and manage log files."and
" User id to install and run Bro under [bro]
bro_config will create a new user account with this username if
the user does not exist."
Sorry but I don't see what this has to do with your earlier claim of
having to run Bro as root. You only have to run Bro as root if your
kernel requires it for the tasks your putting Bro to, packet capture
being the most likely candidate.
Maybe you could tell us what kind of setup you're aiming at. What user
*do* you want to run Bro under? If you want to run Bro to get a feel for
policy configuration, you don't even need to make install, not to
mention touch the Bro-Lite configuration stuff.
I did make install as root and then make install-brolite. Should I not
have done make install but make install-brolite only?
No, it's okay to run both -- 'make install' installs the Bro executable,
Broccoli, policy files, etc, while 'make install-brolite' is responsible
for setting up an install script, configure report styles, etc.
> If you want to do packet capture you'll likely be running it as root
> anyway, if you want to process traces you don't need root, and if you
> want to run a Bro-Bro communications node you can use high ports to
> avoid root.Ok but I'm confused in that case. What is the point of creating the user
bro?
I believe on Linux you're not actually supposed to be presented with
"bro" as user account but "root" instead since it's more likely to work,
though I might be wrong. Try setting the suggested user to root unless
you know that your Linux kernel provides non-root capability to do
packet capture.
The point of a different user is simply one of least privilege -- if
your OS allows you to select capabilities selectively, then you might
not need root even if you do packet capture. Also there are the issues
of log maintenance & archival, and you might prefer a user different
from root for access to those.
Getting all of this set up smoothly has seen more exposure on the BSDs
than Linux, so sorry for the bumpy ride. Others can comment better than
I on the state of Bro-Lite and Linux.
Cheers,
Christian.
^^^^^^^
Meant to say boot-time startup script...
Cheers,
Christian.
Christian Kreibich wrote:
2. "make install" installed everything as root so I'm having to run bro as root.
I don't understand -- who owns the installed files is determined by who
runs make install. I'd normally hope that everything is installed as
root. How does that prevent you from running bro non-root?I quote from the Bro Quick Start Guide:
"The Bro-Lite configuration script can be used to automatically configure Bro for you. It checks your system's BPF settings, creates a 'bro' user account, installs a script to start bro at boot time, and installs a number of cron jobs to checkpoint bro every night, run perioidic reports, and manage log files."
and
" User id to install and run Bro under [bro]
bro_config will create a new user account with this username if the user does not exist."
Sorry but I don't see what this has to do with your earlier claim of
having to run Bro as root. You only have to run Bro as root if your
kernel requires it for the tasks your putting Bro to, packet capture
being the most likely candidate.
Ok I'm capturing packets and so running Bro as root. I misunderstood the documentation (and / or the question in the brolite scripte) which seemed to imply that files would be installed as bro / wheel and Bro would run as bro.
Maybe you could tell us what kind of setup you're aiming at. What user
*do* you want to run Bro under? If you want to run Bro to get a feel for
policy configuration, you don't even need to make install, not to
mention touch the Bro-Lite configuration stuff.
See above.
I did make install as root and then make install-brolite. Should I not have done make install but make install-brolite only?
No, it's okay to run both -- 'make install' installs the Bro executable,
Broccoli, policy files, etc, while 'make install-brolite' is responsible
for setting up an install script, configure report styles, etc.If you want to do packet capture you'll likely be running it as root
anyway, if you want to process traces you don't need root, and if you
want to run a Bro-Bro communications node you can use high ports to
avoid root.Ok but I'm confused in that case. What is the point of creating the user bro?
I believe on Linux you're not actually supposed to be presented with
"bro" as user account but "root" instead since it's more likely to work,
You are right. I was presented with root but I must have mistunderstood the documentation.
though I might be wrong. Try setting the suggested user to root unless
you know that your Linux kernel provides non-root capability to do
packet capture.
Done. I've used pcap directly and know I have to be root to run the executable.
The point of a different user is simply one of least privilege -- if
your OS allows you to select capabilities selectively, then you might
not need root even if you do packet capture. Also there are the issues
of log maintenance & archival, and you might prefer a user different
from root for access to those.
This is was why I was worrying. But let's finish off this thread. I'll post my remaining questions under a different title.
Getting all of this set up smoothly has seen more exposure on the BSDs
than Linux, so sorry for the bumpy ride. Others can comment better than
I on the state of Bro-Lite and Linux.Cheers,
Christian.
Christian,
I'd like to say a big thank you to you in particular and Vern and everyone else that responded.
Dominic.