Hi I am just started with bro to evaluate it against the other tools we have. The first question I have is about using different libpcaps. We have our own fork of libpcap here (Phil Woods code) and I am needing to use it as a comparison with our snort and other tools. How hard is it to compile bro with another version of libpcap :)?
Stephen,
It should be fairly straight forward to use other libpcaps
with bro. There is an option to configure (--disable-localpcap)
the will disable including the pcap distributed with bro, and
instead will search for a libpcap on the system. I believe that
bro will first look for a libpcap directory at the same level
as the bro directory, and if it doesn't find one at that level
it looks for one installed on the system.
There was a bug in the --disable-localpcap, and I'm not sure if
the fix is the last release. Let me know if you have any problems,
the patch is only a couple of lines.
Hope this helps.
Cheers,
jason
Stephen J Smoogen wrote:
Jason Lee (DSD staff) wrote:
Stephen,
It should be fairly straight forward to use other libpcaps
with bro. There is an option to configure (--disable-localpcap)
the will disable including the pcap distributed with bro, and
instead will search for a libpcap on the system. I believe that
bro will first look for a libpcap directory at the same level
as the bro directory, and if it doesn't find one at that level
it looks for one installed on the system.There was a bug in the --disable-localpcap, and I'm not sure if
the fix is the last release. Let me know if you have any problems,
the patch is only a couple of lines.Hope this helps.
Thanks it does help. I think that I dont have the patch.. it seems to be looking for stuff in the pcap directory.. but I havent looked at it too deeply so I could be off still.