[Bro] Debugging policy

Greg Lindon greglindon at gmail.com
Mon Jun 23 11:06:34 PDT 2008

Thanks.  Seems painfully obvious now :)


On Mon, Jun 23, 2008 at 12:46 PM, Vern Paxson <vern at icir.org> wrote:
>> bro -r test.pcap -t tracefile.txt local.clear-passwords.bro
>> which takes around 30 minutes(!?!) to give me a fairly unhelpful error
>> about my policy.
>> ...
>>  Bro doesn't even show up in the first page of "top" processes.
> Try setting the environment variable BRO_DNS_FAKE to turn off DNS lookups.
> Most likely it's simply sitting in a series of long DNS timeouts.
>> The error bro gives is "parse error at or near event", the line number
>> is for the "event account_tried" declaration.  I'm guessing that I
>> have a syntax error in my password array, but this process is making
>> debugging slow.
> Yes, you don't have a ';' at the end of "global known_pass = { ... }".
>                Vern

More information about the Bro mailing list