[Bro] Scheduling events are immediatly executed

Jan Muthreich jan.muthreich at consistec.de
Tue Dec 8 07:35:24 PST 2015


Hello,

I'm working with BRO and have a problem. I want to use scheduling but it doesn't seem to work. Alle tests, that I wrote, are immidiatly ready. I have seen the ticket https://bro-tracker.atlassian.net/browse/BIT-747 and have tried to reschedule. But it doesn't work. The rescheduled event is either missing, when no files are read, or immidiatly ready when files are read. 

Have someone tipps for me or is there any documentation, how the scheduling and eventing are work in BRO?

For example this is the test I use:

#@TEST-EXEC: bro -b -C -r $TRACES/10000.pcapng %INPUT > output 2> output.err
#@TEST-EXEC: test -f output
#@TEST-EXEC: btest-diff output
#@TEST-EXEC: test -f output.err
#@TEST-EXEC: btest-diff output.err

event e2() {
  print "e2";
}

function scheduleEvent(){
  print "f1";
  schedule 100sec { e2() };
}

event e1() {
  print "e1";
  scheduleEvent();
}

event bro_init() {
  schedule 100sec { e1() };
}

The trace file can be any pcap file.


consistec Engineering & Consulting GmbH
Jan Muthreich - Software Engineer




More information about the Bro mailing list