[Bro] Strange behavior with interesting-hostnames.bro

Eric Hacecky hacecky at jlab.org
Fri Jul 28 11:13:13 PDT 2017


Yep that was it.  

//
[BroControl] > stop
stopping worker-2 ...
stopping worker-1 ...
stopping proxy-1 ...
stopping manager ...
[BroControl] > ps.bro
        USER       PID  PPID %CPU %MEM    VSZ   RSS TT       S  STARTED     TIME COMMAND
>>> worker-2
   (-) root     29973 29967 36.8  1.8 2580256 2458068 ?     S   Jul 25 1-02:41:59 bro
   (-) root     29974 29973  0.2  0.2 387928 328412 ?       S   Jul 25 00:11:20 bro
//

Cleaned it up and now the output for print matches across them.

Well done, thanks again.

Eric

----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Friday, July 28, 2017 2:06:50 PM
Subject: Re: [Bro] Strange behavior with interesting-hostnames.bro

> On Jul 28, 2017, at 1:42 PM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> [BroControl] > deploy
> checking configurations ...
> installing ...
> removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
> removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
> creating policy directories ...
> installing site policies ...
> generating cluster-layout.bro ...
> generating local-networks.bro ...
> generating broctl-config.bro ...
> generating broctl-config.sh ...
> updating nodes ...
> stopping ...
> stopping worker-2 ...
> stopping worker-1 ...
> stopping proxy-1 ...
> stopping manager ...
> starting ...
> starting manager ...
> starting proxy-1 ...
> starting worker-1 ...
> starting worker-2 ...
> [BroControl] > print SSH::interesting_hostnames
>     manager   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>     proxy-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-2   SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?))|(^?(^ftp[0-9]*\.)$?)/
> 
> The line for worker-2 is even formatted strangely.  There's an extra set of parentheses surrounding the string of ((dns|smtp|mail|pop|imap|www) | ftp )
> 
Ah.. that's normal  It's actually more like.. so one extra item will have one extra parens added.

((((dns) |smtp) |mail) |pop) |imap)

> From my local.bro
> 
> 
> # Remove match for hostname with "ftp" for the SSH login success to interesting hostname from /share/bro/policy/protocols/ssh/interesting-hostnames.bro
> redef SSH::interesting_hostnames = /^d?ns[0-9]*\./ | /^smtp[0-9]*\./ | /^mail[0-9]*\./ | /^pop[0-9]*\./  | /^imap[0-9]*\./ | /^www[0-9]*\./;
> 
> Eric
> 

I bet you have a half broken process for worker-2 lying around from when it had an issue.  It may not have completely crashed. .. if you run

    broctl stop

and then

    btoctl ps.bro

Are any bro processes returned related to worker-2?  Ensure that every bro process is stopped and then do a new deploy, that should clear things up.

-- 
- Justin Azoff


More information about the Bro mailing list