[Bro] "broctl cron" running every 5 mins, and side effects

Azoff, Justin S jazoff at illinois.edu
Sat Sep 3 09:00:25 PDT 2016

> On Sep 2, 2016, at 9:35 AM, Glenn Forbes Fleming Larratt <gl89 at cornell.edu> wrote:
> Can anyone comment on what "broctl cron" is actually doing?
> My DNS admin reported to me that, at 5-minute intervals, my six bro hosts 
> (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands,
> all forward and reverse lookups of themselves and each other (sample 
> appended). It *seems* to be correlated in time with the running of "broctl 
> cron".

broctl cron primarily checks up on the workers via ssh.

Are you using a bro version earlier than 2.4 ?  2.4 will make one connection per worker box, before that it made one connection for each worker process.

What you are seeing looks like bro < 2.4 plus ssh having UseDns or VerifyReverseMapping enabled.

It's also interesting that bro01 is not one of the names in the output, and bro05 appears 5% as often as 2,3,4 are.

In general you should be running a local caching resolver (unbound,dnsmasq,etc).  Things run better across the board when you are caching dns responses locally and not going out to the network for every lookup.

- Justin Azoff

More information about the Bro mailing list