[Bro-Dev] Offline Broker usage (Re: [Bro-Commits] [git/bro] topic/actor-system: Fix Known scripts to be able to use alternate implemenation (50e1498))

Robin Sommer robin at icir.org
Thu Mar 8 09:15:34 PST 2018

Jon, I noticed your commit message on data store expiration:

> commit 50e1498d2b39d6af1f70dbc042ab544506a67e43
> Author: Jon Siwek <jsiwek at corelight.com>
> Date:   Wed Mar 7 21:24:46 2018 -0600
>     Fix Known scripts to be able to use alternate implemenation
>     And run the external test suite using the alternate implementation
>     due to data stores behaving differently when running on offline pcaps.
>     E.g. expirations are based on wall time, not packet time, and timeouts
>     (which *are* based on packet time) may occur when the store is still
>     initializing due to a large interval of packet time passing.

That brings up an interesting question on data store semantics in
offline vs online mode. Ideally, there wouldn't be any difference
between the two operation modes, so that running on a trace gives
exactly the same results as online. That would match how Bro generally
operates. Could we make data store expiration driven by network time?
That'd need an API for Bro to drive Broker time forward. And for the
initialization, maybe Bro could wait for the initialization to finish?
Although I'm not quite sure here which initialization that refers too,
may not be feasible.

Are there other differences with stores between online and offline


Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com

More information about the bro-dev mailing list