[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?

Azoff, Justin S jazoff at illinois.edu
Tue Oct 10 06:16:47 PDT 2017

> On Oct 9, 2017, at 10:31 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
> Hi Anthony and Justin,
> Thanks a lot for your solutions. I think using the suspend and continue works. Actually, I have another question about using pybroker. I have a listener in my python program doing something as follows:
>    epl = endpoint("listener")
>    mql = message_queue("bro/event", epl)
>    icsq = epl.incoming_connection_status()
>    epl.listen(10007, "")
>    select.select([icsq.fd()],[],[])
>    msgs = icsq.want_pop()
>    for m in msgs:
>        print("incoming connection", m.peer_name, m.status)
>        assert(m.peer_name == "connector")
>        assert(m.status == incoming_connection_status.tag_established)
>    while True:
>        select.select([mql.fd()], [], [])
>        msgs = mql.want_pop()
>        for m in msgs:
>            raw_data_queue.put_nowait(m)
>            gevent.sleep(0)
> I put the listener inside a greenlet which is a coroutine I use for my own purpose. The problem is that I don't know a good way to terminate this python program as soon as the Bro part finishes processing all the trace file. If I just terminate by using Ctrl+C, the current port will not be released and that prevents me from using it in the future. Do you have any good idea about how I should stop this listener and free that port as soon as the Bro stops sending more events?
> Best,
> Wenyu

You could use the bro_done event to send a "EXIT" message to your python listener telling it that bro is done running and it should exit.

The problem with the port sounds like something is not setting SO_REUSEADDR inside broker.

Justin Azoff

More information about the Bro mailing list