[Bro] Requesting event_notice ad event_alarm events over broccoli

Stephen Chan sychan at lbl.gov
Wed Aug 12 11:47:06 PDT 2009

Hash: SHA1

    I'm trying to collect event_notice and event_alarm events from a
bro 1.4 instance via broccoli and seeing some odd behavior, and was
wondering if its something others have seen (and figured out).

    What happens is the client connects, and requests those events,
and the server logs the connection and the request for events.
Everything looks fine, except that nothing comes through, and the bro
child/communicatons process starts to bloat up rapidly. Eventually the
process becomes huge and seg faults, leaving the parent bro processing
humming along happily. The entire time, not a single event arrives at
the client.

    It almost looks as if the events are sent over to the child
process where they queue up for delivery, yet nothing goes through. I
saw that there is the suppress_notice_action flag which is set to F,
but the description sounds like it suppressed events arriving from a

    I am able to use the same client, and collect connection_finished
events, with no sign of the bro child process bloating up and dying,
so it seems to be something related to the event_notice and
event_alarm events. The NoticeAction and notice_info types passed for
those events are more complex than the connection_finished params,
would the optional fields and enumerated types in NoticeAction and
notice_info cause problems for marshalling and sending?


Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Bro mailing list