[Bro-Dev] Bro 2.6-beta plans

Jon Siwek jsiwek at corelight.com
Thu Sep 6 13:14:51 PDT 2018

On Thu, Sep 6, 2018 at 2:47 PM Azoff, Justin S <jazoff at illinois.edu> wrote:

> I just got 2 clusters upgraded from
> fa7fa5aa to
> 452eb0cb
> And now everything is broken..
> cpu and memory are through the roof across the board, as well as network traffic, but it's not logging much.
> I may have created a message loop replacing the relay_rr stuff, but it's kind of hard to tell.

The recent forwarding changes would be my main suspicion and, at least
in the default scripts, there's no communication patterns that
actually make use of the automatic forwarding, so can you check if
adding "redef Broker::forward_messages = F;" to site/local.bro makes a

If it does fix things, then yeah, either I missed a forwarding loop in
the default scripts or potentially you introduced one when replacing
relay_rr (feel free to point me at stuff to look over).

(Generally may want to just leave message forwarding turned off due to
these types of dangers if that's what it turns out to be...).

> I guess one observation is that it is really hard to tell what bro/broker are doing.   Before you could minimally
> tcpdump the communication and see what events were being sent back and forth, but now that is encrypted.

You can redef Broker::disable_ssl=T.  I don't recall how readable the
non-encrypted communications are, but I think I did it at least once
or twice and still was able to spot event names.

- Jon

More information about the bro-dev mailing list