[Bro-Dev] [JIRA] (BIT-1181) Input-framework errors should be fatal (or Notice_Alarm) instead of silent reporter::error failures

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Wed Apr 9 07:52:07 PDT 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107#comment-16107 ] 

Robin Sommer commented on BIT-1181:
-----------------------------------

We could in principle add an input_framework_error() event or so, and
then handle that accordingly. But I'm reluctant to do that because I
don't really want want to start given subsystems their own error
reporting--the reporter is the attempt to unify such reporting.

Maybe we need to extend the reporter interface with more context
though. What if it had a "component" parameter telling what part of
Bro generated the message. That could be a framework or a specific
analyzer. Then one could easily, e.g., escalate all input framework
errors. And if one really wanted to turn them into fatal errors, one
can call exit() manually at that point.

How does that sound? It's a bit work though because the reporter calls
need to be adapted throughout Bro ...





> Input-framework errors should be fatal (or Notice_Alarm) instead of silent reporter::error failures
> ---------------------------------------------------------------------------------------------------
>
>                 Key: BIT-1181
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1181
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.2
>            Reporter: Aashish Sharma
>            Assignee: Bernhard Amann
>              Labels: input-framework
>
> I noticed many times that if there is a problem in a feed file (syntax, or some other issue) and input-framework is unable to read the file, it generates a Reporter::Error. This is a silent failure condition ie bro continues to operate as normal and the error is logged into reporter log. 
> Ideally above is the right thing to do. However, This failure results in no data in the tables getting updated any more while I continue to operate under-impression that Bro is working fine (unless I have explicitly been looking at reporter log for this issue , which now I do). 
> If input-framework is unable to read/digest data from a feed, I believe that should be a (configurable) fatal error or something which at least triggers an alarm/alert/email. 



--
This message was sent by Atlassian JIRA
(v6.3-OD-02-026#6318)

More information about the bro-dev mailing list