[Bro] ServerFound notices slowed (was DNS logging)
Tyler.Schoenke at colorado.edu
Fri Dec 4 09:50:50 PST 2009
On 12/03/2009 10:48 AM, Robin Sommer wrote:
> (To extend my earlier note about the cluster configuration setting a
> few defaults differently: that's the case for a number features we
> have added to Bro in the past that are in some way incompatible with
> older Bro installations, like changes in log format. We have rarely
> turned these on per default to not break anything. The cluster now
> flips over some of these switches to get the new behaviour for new
> installations. Another example for that are DPD-based conn.logs: the
> service field in conn.log is now determined via DPD so you may for
> example now see "ssh" there for an SSH session on port 80, while the
> standard Bro default would still say "http".)
> There shouldn't be a difference though between broctl's cluster and
> standlone modes in this regard. I've just checked this for
> use_tagging setting, and that's enabled by default in the standlone
> setting as well now; it might not have in earlier versions.
Thanks for explaining how that works.
> I don't think the differences in the output format is (directly)
> linked to the missing ServerFounds. There must be another reason why
> you're seeing less. Have you looked at notice.log whether there are
> more ServerFounds in there? If yes, then they are filtered out
> somewhere before they reach alarm.log; if not, then they are not
> generated in the first place.
Yes, there are fewer showing up in the notice.log as well. When I get a
chance, I'll try rolling back to an older version, and see if there is a
difference. We also moved our SPAN port from a core-to-core link to a
Internet-to-core link. That may have caused a difference, but I had
expected to see more ServerFounds.
More information about the Bro