I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
Can someone assist me with this?
Information Secuity Engineer
Synovus Financial Corp
Hello Bro Community:
I was wondering if there was an easy way to modify log filenames that are
placed into the spool directory. All I would like to to, is to simply
append 'bro.' to the beginning of each filename. I searched around a bit
thinking there may be a simple configuration option I could modify in the
broctl.cfg file. Unfortunately however, I have not come upon any solution
yet and feel like I am likely missing something obvious.
As an example, I would like the prefix to be something like 'bro.conn.log'
instead of 'conn.log' for all files being written to the
'/var/opt/bro/spool/bro' directory. Is there a simple way to do this using
the Bro application?
Thanks very much for your time and assistance.
I followed the steps for configuring load balancing here:
Everything worked great, but I had to restart the server and now I can't
load the PF_RING module.
sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
FATAL: Module pf_ring not found.
When I run:
ldd /bro/bin/bro | grep pcap
It get the following:
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f3aeb8ff000)
In the instructions it stated:
"Refer to the documentation for your Linux distribution on how to load the
pf_ring module at boot time."
But I wasn't able to find any details on how to do so.
Is there any way to determine the cause of dropped packets? I'm running Bro
Cluster (2.2) on a single machine with 1 manager, 1 proxy and 10 workers.
The total number of workers is much less than the number of cpus in this
machine (system load doesn't usually get higher than 2 and individual
worker processes hover at around 30-40% cpu utilization). The machine has
PF_Ring and related ethernet drivers installed. After looking at netstats
there's always some dropped packets. The occasional dropped packet isn't
usually a cause for concern but some workers show large numbers of dropped
packets. I'd like to know what part of the process is bottle-necked and
causing packets to be dropped.
The documentation mentions that broctl cron logs stats but doesn't mention
where they're located (didn't see anything in spool that looked like
cluster runtime stats) or how to view the data.
Anyone have any ideas?
After looking at an aggregate 30 days of files.log in Splunk, I noticed
that 98% of the files identified by Bro have no filenames associated with
While I haven't done any rigorous testing of this, it just seems wrong. Is
this a known bug? Is anyone else experiencing this?
I'm testing out the ElasticSearch writer in a Bro Cluster (2.2 release)
along with the Ascii writer. I've set LogRotationInterval to an hour (3600)
in broctl.cfg which I know sets or overrides Log::default_rotation_interval
and in my local.bro I've overridden the rotation_interval parameter of the
ElasticSearch Logger (defined in logs-to-elasticsearch policy) to be every
24 hours. Apparently, Bro seems to be ignoring the rotation_interval value.
I've tried not setting LogRotationInterval and setting
Log::default_rotation_interval in my local.bro file but i got similar
Is there anyway to have the Ascii writer use a 1hr rotation interval while
the ElasticSearch writer uses a different one? Looking through the
docs/code it doesn't look like LogAscii has a rotation_interval of its own.
Is there any guidance/information as to how things should be split up
between the 3 types of site policies (manager, proxy, worker). Can it
actually make a difference in performance or is it mainly there for
As far as I can tell the docs only mention that notice filtering needs to
be done on the manager and everything else can go into the generic
local.bro file. Is there any further guidance?
Does Bro 2.1 support sniffing on several interfaces at the same time? I have tried this now on a dozen of nodes, and the behavior does not seem to be consistent.
Note that I am not trying to sniff an outbound and an inbound stream that are related, but I have a tap port on a separate network that I also interested in in covering.
Sometimes multiple interfaces in node.cfg will work, but sometimes it makes Bro just hang and not record any of the http, dns, ftp logs etc..
I've been tasked to find files with a specific "signature" in the file header, where the file will be within an archive of files. This needs to be agnostic of the protocol that transported the archive file.
I'm thinking the way to do this is to use the new File Analysis framework. Does Bro provide a mechanism to "automagically" extract the contents of an archive when it is an archive file that is being extracted from a protocol, or is this something I'm going to have to script myself? How can I know that a file has been fully received such that I can begin my analysis?
Thanks - Jon