[Bro] &expire_func functionality/verification with pcap

Lamps, Jereme jlamps at sandia.gov
Tue Oct 31 07:09:12 PDT 2017


Building a little off my previous question, I have a structure my_table defined:
global my_table: table[string] of vector of HTTP::Info &write_expire = 30secs &expire_func=process;
and my_table will get written to in the connection_state_remove event, which should then call the expire_func 30s later.

I have tried triggering the functionality two ways:

  *   Having Bro read in a 1GB test.pcap, waiting for minutes (with exit_only_after_terminate=T), then CTRL-C to exit
  *   Having Bro listen on a dummy interface and tcpthrow the test.pcap against it, waiting for minutes then CTRL-C to exit

It seems to work for a subset of the connections but not all of them. My hunch is that Bro’s connection state table has no strict time-based removal process, so the connection_state_remove event will not be triggered unless I throw more data at it. My second thought is that it does get triggered at the end for the CTRL-C, but then shuts down before the expire_func fires 30secs later.

If my hunches correct please let me know, as then it should theoretically work with Bro on the wire as new data comes in. But for testing purposes, is there any way to either force flushes of the connection table or ensure that Bro waits long enough after the CTRL-C to handle the expire_func?

Best,

Jereme Lamps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171031/e7851c8c/attachment.html 


More information about the Bro mailing list