Several questions

I'm working on an upgrade to the bro port in FreeBSD (from 0.9a4a to 1.1d-stable.) I've never used bro, but I maintain a number of ports. I've found that bro is quite a complex port. I've had to address a number of issues where bro does things in a "non-standard" (for FreeBSD) way, but I've finally got the port installing correctly and in the "right" (for FreeBSD) locations.

Now I'm testing running bro, and I've run into some problems that I don't know the answer to.

1) When I try to run bro.rc start, I get a permission denied error.

bro.rc: Starting ..........bro.rc: Failed to start Bro
/var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission denied
... FAILED

I tried changing the user from bro to root, but I still get the error. All the directories and files have the "standard" permissions (xwrx-rx-r for dirs and executables -rw-r--r- for other files such as policy files and scripts. The messages file doesn't include any additional information.

If I set DEBUG=1 in bro.rc, I get this:

root@utd59514# /var/tmp/bro/bin/bro.rc start
bro.rc: Starting /var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission denied

Huh?

root@utd59514# ls -lsa /var/tmp/bro/bin/bro
1760 -r-xr-xr-x 1 root wheel 1784264 Jul 12 09:27 /var/tmp/bro/bin/bro

And I can run bro from the commandline (although that brings up another issue)

root@utd59514# /var/tmp/bro/bin/bro -i bge0
^C

Any suggestions as to where to look for this problem would be appreciated.

2) I can't seem to figure out the correct format for the local.site.bro file

root@utd59514# /var/tmp/bro/bin/bro -i bge0 utd59514.utdallas.edu.bro
/var/tmp/bro/bro/site/utd59514.utdallas.edu.bro, line 1: error: syntax error, at or near ","

Here's the file:

root@utd59514# less /var/tmp/bro/bro/site/utd59514.utdallas.edu.bro
129.110.0.0/16, 10.0.0.0/8

I have tried enclosing this in brackets [129.110.0.0/16, 10.0.0.0/8]. I have tried replacing the comma with a space. I have tried 129.110.0.0/16 with and without the brackets. No matter what format I use, I get the syntax error.

Is this a bug? Or have I missed something doh simple?

The bro.rc does not work unless you run 'make install-brolite'
Did you do that?

No idea how this all maps to a 'FreeBSD port'

Paul Schmehl wrote:

No, I did not. However, the documentation says you can run bro_config instead. I *did* do that.

<http://www.bro-ids.org/wiki/index.php/User_Manual:_Installation_and_Configuration>

"The Bro-Lite configuration script can be used to automatically configure (or reconfigure) Bro for you. It checks your system's BPF settings, creates a "bro" user account, installs a script to start Bro at boot time, installs the report generation package, and installs a number of cron jobs to checkpoint Bro every night, run periodic reports, and manage log files.

To run this configuration script type:

bro_config

This script creates the file @file{$BROHOME/etc/bro.cfg}. bro_config will ask a number of simple questions. Note that the full functionality of this script is only supported under FreeBSD. Some additional configuration may need to be done by hand under Linux."

Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/