[Bro] &expire_func functionality/verification with pcap

Seth Hall seth at corelight.com
Tue Oct 31 07:42:35 PDT 2017



On 31 Oct 2017, at 10:09, Lamps, Jereme wrote:

>   *   Having Bro read in a 1GB test.pcap, waiting for minutes (with 
> exit_only_after_terminate=T), then CTRL-C to exit
>   *   Having Bro listen on a dummy interface and tcpthrow the 
> test.pcap against it, waiting for minutes then CTRL-C to exit
>
> It seems to work for a subset of the connections but not all of them. 
> My hunch is that Bro’s connection state table has no strict 
> time-based removal process, so the connection_state_remove event will 
> not be triggered unless I throw more data at it

I believe that's correct.  The combination of the 
exit_only_after_terminate setting and reading a pcap is not particularly 
well supported because it's not needed for most circumstances.  It's 
also conceptually hard to pull off cleanly because Bro's packet clock is 
driven by incoming packet timestamps.  The reason you aren't seeing 
those connections expire is because as far as Bro is concerned time has 
stopped the moment that packets stop coming in.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


More information about the Bro mailing list