[Bro-Dev] Duplicate Notice Actions Regression?
Vlad Grigorescu
vladg at cmu.edu
Fri Feb 8 11:50:02 PST 2013
Recently, I've been seeing Bro perform duplicate notice actions. I think this commit might have introduced a regression: <http://git.bro-ids.org/bro.git/commitdiff/290c2a0b4df2db38ade684cf386a5c9b6b271d9e>
> # The notice policy is completely handled by the manager and shouldn't be
> # done by workers or proxies to save time for packet processing.
> -event bro_init() &priority=11
> - {
> - Notice::policy = table();
> - }
> +redef Notice::policy = table();
Specifically, reading from the commit that fixed the duplicate notice action issue (<http://git.bro-ids.org/bro.git/commitdiff/53d9832d5adb526bf80f1d225a13941c7d05bdb2>):
> The problem was that Notice::policy is used to populate the internal Notice::ordered_policy vector in a priority 10 bro_init handler (in scripts/base/frameworks/notice/main.bro) and then that is what is used when applying policy to notices. In order for scripts/base/frameworks/notice/cluster.bro to prevent Notice::policy from being used on non-manager nodes, it needs to clear it in a bro_init hander of higher priority than 10.
Am I on the right track here? If not, does anyone have any other ideas of what might be causing this?
Thanks,
--Vlad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130208/c3c83c38/attachment.bin
More information about the bro-dev
mailing list