<div dir="ltr">Hi Justin,<div><br></div><div>I didn't try that yet.</div><div>I got caught up in some other side effect. Bro's CPU usage goes 100% when I use input framework(or maybe my understanding is incorrect). I have no idea what triggered this.</div><div><br></div><div>I tested with and without two lines(integrating bro's input framework) in the bro script. <br></div><div><br></div><div><b>test.bro (On which I observe 100% CPU usage):</b></div><div>event bro_init()</div><div>{</div><div>----------</div><div>----------<br></div><div>Input::add_table([$source=file_port_list_loc, $name="file_port_list", $idx=Portsx, $destination=file_port_list]);<b><br></b></div><div>Input::remove("file_port_list"); </div><div>}</div><div><br></div><div><div><b>test.bro (On which I CPU usage is normal):</b></div><div>event bro_init()</div><div>{</div><div>----------</div><div>----------<br></div><div><b>#</b> Input::add_table([$source=file_port_list_loc, $name="file_port_list", $idx=Portsx, $destination=file_port_list]);<b><br></b></div><div><b>#</b> Input::remove("file_port_list"); </div><div>}</div><div></div></div><div><br></div><div>As you can see, I have commented the actual IF's calls in the latter file.<br></div><div><br></div><div>I did strace of the both the PIDs and below is the output.</div><div><br></div><div><b>strace -p <PID> (PID of Bro reaching 100% CPU usage):</b></div><div>select(25, [9 13 15 18 20 22 24], [0 13 15], [0 13 15], {0, 0}) = 1 (out [0], left {0, 0})<br>select(25, [9 13 15 18 20 22 24], [0 13 15], [0 13 15], {0, 0}) = 1 (out [0], left {0, 0})<br>select(25, [9 13 15 18 20 22 24], [0 13 15], [0 13 15], {0, 0}) = 1 (out [0], left {0, 0})<br>select(25, [9 13 15 18 20 22 24], [0 13 15], [0 13 15], {0, 0}) = 1 (out [0], left {0, 0})<br></div><div><br></div><div><b>strace -p <PID> (PID of a nice Bro)::</b><br></div><div>select(24, [9 13 15 18 19 21 23], [0 13 15], [0 13 15], {0, 0}) = 1 (out [0], left {0, 0})<br>select(0, NULL, NULL, NULL, {0, 20}) = 0 (Timeout)<br>select(24, [9 13 15 18 19 21 23], [0 13 15], [0 13 15], {0, 0}) = 1 (out [0], left {0, 0})<br>select(0, NULL, NULL, NULL, {0, 20}) = 0 (Timeout)<br></div><div><br></div><div>As you can notice, difference between these two outputs, is that the nice process has one more select of timeout of 20 microseconds(which is I suppose sleep for 20 microseconds). But the same select call is not being made with the bad process. Because of which the process takes up 100% CPU.</div><div><br></div><div>Am I missing anything here?? I am not able to identify what exactly is causing this behavior.</div><div><br></div><div>Thanks a lot for reading !!<br></div><div><br></div><div>Regards,</div><div>Nabil</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 22, 2020 at 7:36 PM Justin Azoff <<a href="mailto:justin@corelight.com">justin@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Try deleting this part:<br>
<br>
event bro_done()<br>
{<br>
Input::remove("file_port_list");<br>
}<br>
<br>
On Fri, May 22, 2020 at 6:19 AM Nabil Memon <<a href="mailto:nabilmemon.ec@gmail.com" target="_blank">nabilmemon.ec@gmail.com</a>> wrote:<br>
><br>
> Hi Zeek,<br>
><br>
> Hope you're all doing well.<br>
><br>
> I am using an Input framework to provide some dynamic input to bro.<br>
> Here's how the infra looks like,<br>
><br>
> cat /usr/local/bro/share/bro/base/protocols/file_port_list<br>
> #fields port_num<br>
> 60000/tcp<br>
> 8080/tcp<br>
> 49154/tcp<br>
> 55907/tcp<br>
> 49152/tcp<br>
> 49153/tcp<br>
> 8000/tcp<br>
> 5357/tcp<br>
><br>
><br>
> type Portsx: record {<br>
> port_num: port;<br>
> };<br>
><br>
> global file_port_list: set[port] = set();<br>
><br>
> redef Communication::nodes += {<br>
> ["python"] = [$host = 127.0.0.1, $events = /config_update/, $connect=F, $ssl=F]<br>
> };<br>
><br>
> event bro_init()<br>
> {<br>
> Input::add_table([$source=file_port_list_loc, $name="file_port_list", $idx=Portsx, $destination=file_port_list]);<br>
> }<br>
><br>
> event bro_done()<br>
> {<br>
> Input::remove("file_port_list");<br>
> }<br>
><br>
><br>
> event config_update()<br>
> {<br>
> Input::force_update("file_port_list");<br>
> }<br>
><br>
> It works really well. But when I terminate bro process, it goes into defunct state and throws an error on the console.<br>
> Error: received signal while waiting for thread /usr/local/bro/share/bro/base/protocols/file_port_list/Input::READER_ASCII, aborting all ...<br>
><br>
> Anything am I doing wrong??<br>
><br>
> Thanks a lot for looking..!!<br>
><br>
><br>
> Regards,<br>
> Nabil<br>
> _______________________________________________<br>
> Zeek mailing list<br>
> <a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
> <a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br>
<br>
<br>
<br>
-- <br>
Justin<br>
</blockquote></div>