Bro 2.4 now available for Security Onion!
146 views
Skip to first unread message
Doug Burks
Aug 3, 2015, 2:05:13 PM8/3/15
to securit...@googlegroups.com
http://blog.securityonion.net/2015/08/bro-24-now-available-for-security-onion.html
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
JT
Aug 3, 2015, 4:39:01 PM8/3/15
to security-onion
Awesome Thanks Doug!
tileo...@gmail.com
Aug 10, 2015, 7:12:10 AM8/10/15
to security-onion
Hello,
I had a little issue with a couple sensors that I have built last Friday.
The /opt/bro/etc/broctl.cfg shipped with the new Bro 2.4 package has these lines:
# Location of the log directory where log files will be archived each rotation
# interval.
LogDir = /opt/bro/logs
# Location of the spool directory where files and data that are currently being
# written are stored.
SpoolDir = /opt/bro/spool
# Location of other configuration files that can be used to customize
# BroControl operation (e.g. local networks, nodes).
CfgDir = /opt/bro/etc
And for me, these are the values on my older sensor, which had Bro 2.3 installed and then upgraded to Bro 2.4 and they work fine:
# Location of the log directory where log files will be archived each rotation
# interval.
LogDir = /nsm/bro/logs
# Location of the spool directory where files and data that are currently being
# written are stored.
SpoolDir = /nsm/bro/spool
# Location of other configuration files that can be used to customize
# BroControl operation (e.g. local networks, nodes).
CfgDir = /opt/bro/etc
So my solution was to change the /opt/bro/etc/broctl.cfg on the new sensors, but I do not now if the /opt/bro/logs and /opt/bro/spool directories are the ones that I am supposed to use in Security Onion...
Thanks,
David
I had a little issue with a couple sensors that I have built last Friday.
The /opt/bro/etc/broctl.cfg shipped with the new Bro 2.4 package has these lines:
# Location of the log directory where log files will be archived each rotation
# interval.
LogDir = /opt/bro/logs
# Location of the spool directory where files and data that are currently being
# written are stored.
SpoolDir = /opt/bro/spool
# Location of other configuration files that can be used to customize
# BroControl operation (e.g. local networks, nodes).
CfgDir = /opt/bro/etc
And for me, these are the values on my older sensor, which had Bro 2.3 installed and then upgraded to Bro 2.4 and they work fine:
# Location of the log directory where log files will be archived each rotation
# interval.
LogDir = /nsm/bro/logs
# Location of the spool directory where files and data that are currently being
# written are stored.
SpoolDir = /nsm/bro/spool
# Location of other configuration files that can be used to customize
# BroControl operation (e.g. local networks, nodes).
CfgDir = /opt/bro/etc
So my solution was to change the /opt/bro/etc/broctl.cfg on the new sensors, but I do not now if the /opt/bro/logs and /opt/bro/spool directories are the ones that I am supposed to use in Security Onion...
Thanks,
David
Doug Burks
Aug 10, 2015, 12:44:19 PM8/10/15
to securit...@googlegroups.com
Hi David,
/var/lib/dpkg/info/securityonion-bro.postinst should have
automatically modified broctl.cfg and set LogDir and SpoolDir to
/nsm/bro/logs and /nsm/bro/spool respectively.
Were there any errors during installation?
Have you checked the log files in /var/log/apt/ for additional clues?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
/var/lib/dpkg/info/securityonion-bro.postinst should have
automatically modified broctl.cfg and set LogDir and SpoolDir to
/nsm/bro/logs and /nsm/bro/spool respectively.
Were there any errors during installation?
Have you checked the log files in /var/log/apt/ for additional clues?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
David Szili
Aug 12, 2015, 5:40:30 AM8/12/15
to securit...@googlegroups.com
Hello Doug,
I have checked my /var/lib/dpkg/info/securityonion-bro.postinst and I think the problem is with these lines:# check broctl.cfg for proper dirs
if ! grep "nsm" /opt/bro/etc/broctl.cfg >/dev/null; then
sed -i 's|SpoolDir = /var/opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg
sed -i 's|LogDir = /var/opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg
fi
So the script looks for /var/opt/bro/spool and /var/opt/bro/logs, but the default /opt/bro/etc/broctl.cfg has /opt/bro/spool and /opt/bro/logs
Best regards,
David
Doug Burks
Aug 15, 2015, 4:45:00 PM8/15/15
to securit...@googlegroups.com
I've duplicated this issue when installing the securityonion-bro
package on a fresh box (not upgrading from a previous version of Bro).
I've created Issue 797 to have the NSM scripts check for this issue
and update SpoolDir and LogDir if necessary:
https://github.com/Security-Onion-Solutions/security-onion/issues/797
package on a fresh box (not upgrading from a previous version of Bro).
I've created Issue 797 to have the NSM scripts check for this issue
and update SpoolDir and LogDir if necessary:
https://github.com/Security-Onion-Solutions/security-onion/issues/797
Reply all
Reply to author
Forward
0 new messages