theory5 / broscriptstuff Goto Github PK

CMake Error at CMakeLists.txt:33 (message):
Could not find prerequisite package 'Readline'

cat /opt/timemachine/etc/timemachine.cfg.in

that file exists which is a example of what the cfg file should be

I think we would need to turn it into the real conf file with proper paths and ethX ... restart bro assumedly

Cloning into 'timemachine'...
remote: Reusing existing pack: 461, done.
remote: Total 461 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (461/461), 1.20 MiB | 489 KiB/s, done.
Resolving deltas: 100% (193/193), done.
This install assumes that you've installed bro to the local prefix /usr/local/bro and not some other, weird one.
make: *** [configured] Error 1
make: *** [configured] Error 1
Time Machine config found here: /usr/local/etc/timemachine.cfg

I had added some output to show me what else I should try to execute after the exit that I put into the script, but by then we were in a different dir...

tail: cannot open `tminst.sh' for reading: No such file or directory
/opt/timemachine
drwxr-xr-x 3 root root 4.0K May 10 18:02 doc
drwxr-xr-x 2 root root 4.0K May 10 18:02 cmake
drwxr-xr-x 2 root root 4.0K May 10 18:02 etc
drwxr-xr-x 2 root root 4.0K May 10 18:02 tm-query
drwxr-xr-x 4 root root 4.0K May 10 18:02 src
~/BroScriptStuff/fullinst# 

less outputinst.txt

Invalid option '--with-pcaps=*'. Try ./configure --help to see available options.
Error: No build/ directory found. Did you run configure?
Error: No build/ directory found. Did you run configure?

https://github.com/Theory5/BroScriptStuff/blob/master/fullinst/tminst.sh#L17 and #L23 suggest that some unknown failures will occur if the path of bro is different than expected.

You can test for the existence of a file in the path you expect like:

if [ -f "/foo/bar/baz" ];then echo "To be!"; else echo "It is not to be";exit 1;fi

or similar. Be sure to always use SPACES inside the square brackets and quote your strings and vars inside the square brackets.

So you could exit the script with an echo to the user saying something like "This script expects bro (or whatever it is you expect) to be located at whatever path, exiting to avoid whatever consequence" or if the item is found where it should be then echo path bro or whatever found at whatever path, to reassure the user that things are going well.

https://github.com/Theory5/BroScriptStuff/blob/master/fullinst/tminst.sh#L27

also line 29

You may find by the time you get this that I committed as I'm editing the script as I study it prior to using it.

Ensure GeoCity packages are installed, here: http://www.bro.org/sphinx-git/frameworks/geoip.html

find /usr/share/GeoIP

rename databases to the names Bro is looking for

After re installing broccoli and broccoli-python I did get a pcap by doing this:

python /opt/timemachine/tm-query/tm-query --ip 1.2.3.4 127.0.0.1 host.pcap

where 1.2.3.4 is the IP I don't want to post in a public repo, of a remote out of US server I used to connect into the bro-monitored network

Since the above finally worked I didn't want to lose or fail to report the exact syntax.

which timemachine

/usr/local/bin/timemachine

I had to start it:

timemachine

No output upon starting...

ps auxfww|grep timem

root     14256  0.0  0.0   9388   944 pts/0    S+   01:29   0:00  |                   \_ grep --color=auto timem
root     13626  1.0  0.0 1440464 72432 ?       Ssl  01:29   0:00 Time Machine

Or other very specific instructions that they need.

I'd go so far as to show the exact commands for restarting bro if that is needed, such as

broctl

then what they should type within broctl environment and then also where they should look to see evidence that the new Time Machine stuff is actually working, suggested tests to trigger it into working etc. This may all be best on a wiki page and you could just echo the url to the wiki page at the end saying something like "for next steps go here"

Note in the time machine git repo under

timemachine/doc/howto.rst it tells that you must have the dirs exist. Also pcaps apparently get written to the queryfiledir:

  indexdir "<path>"
    Path, absolute or relative to 'workdir' (see above), where the 
    disk indexes will reside. This directory must exist upon timemachine startup.
    It is a performance gain to place the index database files on different
    disk than the class storage files.

  queryfiledir "<path>"
    Path, absolute or relative to 'workdir' (see above), where query result
    files will be created.  This directory must exist upon timemachine startup.