suricata configs and bro issues

[copeland3300]

Hey, I installed the network-monitor-node bundle for bro and suricata, however, it seems there are no configs that ship for suricata and bro is throwing an error:

fatal error in /usr/share/bro/base/init-bare.bro, line 1: cannot load plugin library /usr/lib/bro/plugins/Bro_AF_Packet//lib/Bro-AF_Packet.linux-x86_64.so: /usr/lib/bro/plugins/Bro_AF_Packet//lib/Bro-AF_Packet.linux-x86_64.so: undefined symbol: bro_version_2_6_1_plugin_6

I'm aware there is a stateless approach for Clear, so I'm not sure if I'm doing something wrong or what.

[copeland3300]

Another point to note, when trying to run broctl I get the following:

FileNotFoundError: [Errno 2] No such file or directory: '/etc/broctl.cfg'

Again, I understand the concept of not automatically putting entries into /etc, ie for the stateless, but I would have thought the bro package would have been compiled with a different prefix.

And again, it's definitely possible that I'm doing/expecting something wrong.

[WSLUser]

Set up SecurityOnion instead. They provide everything you need including bro and suricata.

[copeland3300]

@WSLUser Sure, I've used security onion before. It's a nice product, especially given the price. Ultimately, I opened the ticket to point out that the required configs for these packages aren't being created automatically, and while a person might be able to create these themselves, it's pretty laborious, especially for Bro/Zeek, which has a pretty complicated script/directory structure.