Discussion:
[Bro] Where is my conn.log?
Mark Krenz
2018-11-12 19:47:53 UTC
Permalink
I've inherited a Bro 2.5.5 setup from someone else and am coming to it
after it's been running for a while without producing any conn or other
protocol logs. I've tried restarting Bro and redeploying, but the only
logs that get started are

communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log

None of these logs are filling up with anything useful or indicating
what the problem may be. The only useful message is
"non_ip_packet_in_ethernet" in the weird.log. That seems to point to a
network issue rather than a Bro issue, but I'd like to rule out a Bro
issue first if possible. At one point this setup did produce useful logs
but apparently it just stopped at some point and I'm not sure why. The
only thing somewhat unique about this setup is that at one point it
required me to use the setting 'redef encap_hdr_size=10;' to handle an
incompatibility between Bro and a vlan technology this network uses.
I've also verified that the taps that Bro is listening on are seeing
actual traffic by using tshark, which is able to decode the protocols.

Any suggestions as to where to start and how to diagnose this?

Thanks,

Mark
Hosom, Stephen M
2018-11-12 20:25:17 UTC
Permalink
Check the reporter.log. I highly suspect that it will have an error related to checksum offloading.


You'll want to try running bro with the -C option to see if that produces logs. If it does, then you'll need to modify your interface configuration. You can do this by installing the interface setup package from NCSA: https://github.com/ncsa/bro-interface-setup or manually configuring your interface along the lines of the guide located here: https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html



Security Onion: When is full packet capture NOT full packet capture?<https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html>
blog.securityonion.net
I was looking at some packets recently and noticed the Wireshark message "Packet size limited during capture". &nbsp;This was strange since the p...


________________________________
From: bro-***@bro.org <bro-***@bro.org> on behalf of Mark Krenz <***@iu.edu>
Sent: Monday, November 12, 2018 2:47:53 PM
To: ***@bro-ids.org
Subject: [Bro] Where is my conn.log?

Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.


I've inherited a Bro 2.5.5 setup from someone else and am coming to it after it's been running for a while without producing any conn or other protocol logs. I've tried restarting Bro and redeploying, but the only logs that get started are

communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log

None of these logs are filling up with anything useful or indicating what the problem may be. The only useful message is "non_ip_packet_in_ethernet" in the weird.log. That seems to point to a network issue rather than a Bro issue, but I'd like to rule out a Bro issue first if possible. At one point this setup did produce useful logs but apparently it just stopped at some point and I'm not sure why. The only thing somewhat unique about this setup is that at one point it required me to use the setting 'redef encap_hdr_size=10;' to handle an incompatibility between Bro and a vlan technology this network uses. I've also verified that the taps that Bro is listening on are seeing actual traffic by using tshark, which is able to decode the protocols.

Any suggestions as to where to start and how to diagnose this?

Thanks,

Mark

Loading...