Hi everybody!
Where can I find a documentation about inter-bro communication? I can't find anything in the archive or the manuals.
I'm using bro 0.9a9, because there is a wireless edition developed at
Dresden University of Technology in Germany. I need the inter-bro communication to develop distributed policies.
Thanks for all hints!
Sandro
thanks for the hints, inter-bro(1.1) communication works 
but - it only works with traffic on the listening interface - is that right? i dont have a network trap or something like this, my configuration for testing is:
2 PCs with 1 eth interface connected to a switch.
when i start both bros, there is nothing written into the remote-logs until i start a port-scan to generate traffic. what would be the best way to generate dummy traffic ?
Thanks, Sandro
Hi Sandro,
thanks for the hints, inter-bro(1.1) communication works
great! 
but - it only works with traffic on the listening interface - is that
right? i dont have a network trap or something like this, my
configuration for testing is:
2 PCs with 1 eth interface connected to a switch.
when i start both bros, there is nothing written into the remote-logs
until i start a port-scan to generate traffic. what would be the best
way to generate dummy traffic ?
Mhmmm this is not supposed to happen any more -- older versions did
indeed have the problem that communication was "driven" by observing
live traffic, but as of 1.1 this should be fixed. Things depend on
whether your OS supports selectable file descriptors or not. Could you
please tell us what OS you are on, and post (or send me) the config.h
file you obtain after running configure? Thanks.
Cheers,
Christian.
Hi Christian,
>> but - it only works with traffic on the listening interface - is that
>> right? i dont have a network trap or something like this, my
>> configuration for testing is:
>> 2 PCs with 1 eth interface connected to a switch.
>> when i start both bros, there is nothing written into the remote-logs
>> until i start a port-scan to generate traffic. what would be the best
>> way to generate dummy traffic ?
>
> Mhmmm this is not supposed to happen any more -- older versions did
> indeed have the problem that communication was "driven" by observing
> live traffic, but as of 1.1 this should be fixed. Things depend on
> whether your OS supports selectable file descriptors or not. Could you
> please tell us what OS you are on, and post (or send me) the config.h
> file you obtain after running configure? Thanks.
Im using Suse 10.0 on both machines. One Bro1.1 runs on PC 'A', the other on PC 'B' runs on VMware Server, because I started testing with our wireless 0.9a9 edition and we havnt finished the wireless patch for 1.1 yet. It should be done within the next days.
B: Suse 10.0 & "Bro-wireless" 0.9a9
VMware: Suse 10.0 Bro 1.1
The config.h are equal on both machines.
bye, Sandro
config.h (6.69 KB)
Hi Sandro,
Hi Christian,
Im using Suse 10.0 on both machines. One Bro1.1 runs on PC 'A', the
other on PC 'B' runs on VMware Server, because I started testing with
our wireless 0.9a9 edition and we havnt finished the wireless patch
for
1.1 yet. It should be done within the next days.A: Suse 10.0 & Bro 1.1
B: Suse 10.0 & "Bro-wireless" 0.9a9
VMware: Suse 10.0 Bro 1.1
so you have three Bro nodes? My guess is that the 0.9 one is causing the
problem you're seeing.
The config.h are equal on both machines.
Mhmmm are you sure about this? My guess is that on the 0.9 setup you
need to add --enable-selectloop to the configure invocation. This
ensures that events arriving from a remote Bro are treated with the same
priority as observed packets. You can check whether that is the case by
verifying that USE_SELECT_LOOP is defined in config.h after running
configure.
If the two config.h files really are identical, I don't know what the
problem might be...
Let us know how it goes.
Cheers,
Christian.