[Bro-Dev] Duplicate Notice Actions Regression?
Siwek, Jonathan Luke
jsiwek at illinois.edu
Fri Feb 8 12:29:40 PST 2013
On Feb 8, 2013, at 1:50 PM, Vlad Grigorescu <vladg at cmu.edu> wrote:
> Recently, I've been seeing Bro perform duplicate notice actions. I think this commit might have introduced a regression: <http://git.bro-ids.org/bro.git/commitdiff/290c2a0b4df2db38ade684cf386a5c9b6b271d9e>
>
>> # The notice policy is completely handled by the manager and shouldn't be
>> # done by workers or proxies to save time for packet processing.
>> -event bro_init() &priority=11
>> - {
>> - Notice::policy = table();
>> - }
>> +redef Notice::policy = table();
I also thought that could have broken the notice de-duplication/suppression, but it seemed to work in my testing. A simple check is to do `broctl print Notice::ordered_policy`. If it's empty on all the worker nodes, but populated for the manager node, then it's still working like I expected and probably something else is wrong.
> Am I on the right track here? If not, does anyone have any other ideas of what might be causing this?
Are you getting 2 of the same exact email as if from both the worker and manager, or is it just that you get many emails within the suppression interval for the same "logical" notice $identifier?
And is it for all notice types or just certain ones? If it's certain custom ones you're creating, can you post examples of how you call NOTICE() to generate them?
Have you changed any of the "suppression_interval" settings?
Jon
More information about the bro-dev
mailing list