Hi all,
What can be the reason for smtp entities log file doesn't appears?
All works pretty well in my Bro cluster with this exception (all my
nodes are FreeBSD 10).
Inside worker.bro policy I have:
@load protocols/smtp/software
@load protocols/smtp/detect-suspicious-orig
@load protocols/smtp/entities-excerpt
entities-excerpt calls base/protocols/smtp/entities, correct??
Any idea??
Check your checksums...add:
broargs = --no-checksums
to your broctl.conf or if you're starting bro manually add:
--no-checksums
to your command line.
James
Uhmm .. Under worker.bro I have:
# Process packets despite bad checksums.
redef ignore_checksums = T;
Is this the same as to put "broargs = --no-checksums"??
Ah...it appears you have this covered then.
James
Any more ideas please??
What version of Bro are you running? (2.1 I suppose?)
Also, are you positive that your script is being loaded by workers?
.Seth
I can confirm this.
[17:26:20 @gateway:~/current$] bro --version
bro version 2.2
[17:26:47 @gateway:~/current$] ls -l
total 27420
-rw-r–r-- 1 root root 6322917 Apr 1 17:26 conn.log
-rw-r–r-- 1 root root 5882 Apr 1 17:06 dhcp.log
-rw-r–r-- 1 root root 6468780 Apr 1 17:27 dns.log
-rw-r–r-- 1 root root 451 Apr 1 12:48 dpd.log
-rw-r–r-- 1 root root 3269780 Apr 1 17:26 files.log
-rw-r–r-- 1 root root 11706144 Apr 1 17:26 http.log
-rw-r–r-- 1 root root 678 Apr 1 12:55 known_hosts.log
-rw-r–r-- 1 root root 419 Apr 1 03:00 known_services.log
-rw-r–r-- 1 root root 14606 Mar 31 23:58 loaded_scripts.log
-rw-r–r-- 1 root root 568 Mar 31 23:58 packet_filter.log
-rw-r–r-- 1 root root 494 Mar 31 23:58 reporter.log
-rw-r–r-- 1 root root 110446 Apr 1 17:15 smtp.log
-rw-r–r-- 1 root root 27098 Apr 1 17:24 software.log
-rw-r–r-- 1 root root 1956 Apr 1 16:36 ssh.log
-rw-r–r-- 1 root root 991 Apr 1 16:16 tunnel.log
-rw-r–r-- 1 root root 56270 Apr 1 17:24 weird.log
[17:27:05 @gateway:~/current$] cat loaded_scripts.log | grep smtp
/usr/local/bro/share/bro/base/protocols/smtp/load.bro
/usr/local/bro/share/bro/base/protocols/smtp/main.bro
/usr/local/bro/share/bro/base/protocols/smtp/entities.bro
/usr/local/bro/share/bro/base/protocols/smtp/files.bro
/usr/local/bro/share/bro/policy/protocols/smtp/software.bro
James
files.log should have all your file (http, email, etc) information in it, since you’re running bro 2.2
Ah, yep, files.log became a larger abstraction which was informed by the smtp_entities.log. 
So with 2.2+, look to files.log when you formerly would have looked to smtp_entities.
.Seth
Thanks for the quick answer Chris and Seth.
James
Yes I am running bro 2.2, and it is correct: info appears under files.log.
Many thanks to all.