Hello,
I am attempting to install and study bro as a grad project. I have RH 9
installed and all updates done. I have not hardened the system yet
because I don't want to disable something that will interfere with the
IDS.
I have the following installed (in installation order):
perl-Tk-804.027-8.rh9, zlib-1.2.1, libpcap-0.8.3, tcpdump-3.8.3,
mysql-4.0.15a, httpd-2.0.50, php-4.3.3.
I downloaded bro (bro-pub-0.8a87) to /root/bro directory and untarred.
I've tried installation with: ./configure --with-PACKAGE=linux-include,
make, make install. I am getting an error at the make install as
follows:
bro /usr/local/sbin
make: bro : Command not found
make: *** [install] Error 127
I've tried a couple of things:
./bro -r example-attacks/ntp-attack.trace mt this command gives some
expected errors about scan.bro variables, etc...but also gives the log
of the session. Using cat weird.log gives the following:
986505326.451411 128.3.9.239 > 128.3.9.62/ntp: truncated ntp.
using ./bro -i eth0 -w testinglog.trace mt yields the same expected
errors and then "listening on eth0" but when I end (ctl C). I get "0
packets recieved on interface eth0, 0 dropped" with the nic operating
both with an ip address and in "stealth mode". I am running nessus
against the network and ethereal on the network to detect the traffic so
there should be some traffic picked up on the interface (or I would
expect it to be). cat testlog.trace gives either nothing or the
following error:
./bro: problem with trace file testlog.trace -fread; inappropriate ioctl
for device.
Can someone please help me determine what is going wrong with the
installation and how to get bro to "see" the traffic?
Thank you in advance.
Best Regards,
Deb
