[Bro] Scheduling events are immediatly executed
dirk.leinenbach at consistec.de
Thu Dec 10 08:21:22 PST 2015
is Bro's event schedule depending on "input" from the network / trace
file? I.e., does it stop processing ASCII reader input if there's no
more network activity?
This might not be a big deal in production rollouts when bro is listing
to real network interfaces, but in test scenarios (with btest) it looks
to me as if bro stops processing other input, once the pcap files have
been consumed completely. Is there any work around / best practice on
how such situations can be handled in tests?
Thanks for your help!
On 09.12.2015 08:51, Jan Muthreich wrote:
> Thank you. I have an Input READER_ASCII in use, which need Input::force_update. It reads from a linux pipe. How can we schedule this operation if no network traffic is in the line?
> Mit freundlichen Grüßen
> Jan Muthreich
> -----Original Message-----
> From: Robin Sommer [mailto:robin at icir.org]
> Sent: Tuesday, December 8, 2015 5:23 PM
> To: Jan Muthreich <jan.muthreich at consistec.de>
> Cc: bro at bro.org
> Subject: Re: [Bro] Scheduling events are immediatly executed
> On Tue, Dec 08, 2015 at 15:35 +0000, Jan Muthreich wrote:
>> I'm working with BRO and have a problem. I want to use scheduling but
>> it doesn't seem to work. Alle tests, that I wrote, are immidiatly
> One thing to keep in mind for schedule is that it's relative to "network time", i.e., the packet timestamps in the trace. When you say 100s, it's not going to wait for 100s of wall clock time to pass, but will trigger the event once the packet timestmaps have covered 100s.
> When working offline from a trace, like in your case, that often feels like "immediately" if the input is short. Could that be it?
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> Bro mailing list
> bro at bro-ids.org
Dr.-Ing. Dirk Leinenbach - Leitung Softwareentwicklung
consistec Engineering & Consulting GmbH
Europaallee 5 Fon: +49 (0)681 / 959044-0
D-66113 Saarbrücken Fax: +49 (0)681 / 959044-11
http://www.consistec.de e-mail: dirk.leinenbach at consistec.de
Registergericht: Amtsgericht Saarbrücken
Geschäftsführer: Dr. Thomas Sinnwell, Volker Leiendecker, Stefan Sinnwell
More information about the Bro