[Bro] ServerFound notices slowed (was DNS logging)
Tyler.Schoenke at colorado.edu
Wed Dec 2 15:45:11 PST 2009
On a possibly related issue, I noticed that I am no longer seeing many
ServerFound notices. I used to see a lot of these notices with the
older 1.4.19, Robin's branch. The log format also changed around the
time I stopped seeing the notices. This was between Sept. 2nd and Sept.
The alarm.log messages through Sept. 2nd looked like this.
Sep 2 12:26:14 ServerFound 128.x.x.x: SSH server on port 2222/tcp
On/after Sept. 5th changed to this format:
Sep 5 05:12:25 no=ServerFound na=NOTICE_ALARM_ALWAYS es=worker-1
sa=128.x.x.x da=128.y.y.y dp=3919/tcp p=3919/tcp num=32 msg=128.x.x.x:\
SSH\ server\ on\ port\ 3919/tcp sub=SSH tag=@c5-2f10-bf17
I think the log format change happened when I switched from a
stand-alone config to the cluster config with a single worker. I don't
understand why the ServerFound detections dropped so dramatically. I
went from detecting 261 servers when running stand-alone to only 5 when
running as a cluster.
In my new cluster config, with the latest trunk, in local-manager.bro,
[ProtocolDetector::ServerFound] = file_if_remote. I changed
file_if_remote to file_notice, but that didn't seem to make a difference.
I also commented ServerFound out of
cluster-manager.detect-protocols.bro, but that didn't help either.
Any ideas what changed?
On 11/12/2009 06:40 PM, Robin Sommer wrote:
> On Thu, Nov 12, 2009 at 07:46 -0500, Louis F Ruppert wrote:
> Yes, indeed. The cluster config is changing some defaults to values
> which seem to be more reasonable in a large setting. It's of course
> debatable what the definition of "reasonable" here is :-) With DNS
> one gets these huge logs which often aren't very helpful.
> So, the general guideline is when you're looking for a specific
> setting, also grep through the cluster's *.bro scripts.
>> (who also spent some time trying to figure this out)
> Sorry. :)
More information about the Bro