[Bro-Dev] Bro 2.6-beta plans

Azoff, Justin S jazoff at illinois.edu
Thu Sep 6 13:34:52 PDT 2018

> On Sep 6, 2018, at 4:19 PM, Jon Siwek <jsiwek at corelight.com> wrote:
> On Thu, Sep 6, 2018 at 3:14 PM Azoff, Justin S <jazoff at illinois.edu> wrote:
>> I tested an almost stock local.bro (a few additional things disabled) and saw the same thing.
>> fa7fa5aa is fine, but with 452eb0cb everything is working really hard to do something.
> Thanks for that, I'll start looking into it, but still would be
> helpful if you could try disabling message forwarding (or disable ssl
> + look at some captured traffic to see if you can understand what
> might be happening).  Thanks.
> - Jon

Yeah, that fixed it!

I re-enabled that and then disabled ssl and I am looking at the comm stuff going to the logger, which should just be logs

This seems to work for basic quick analysis:

[root at bro40-dev ~]# tcpdump  -n -i em1 port 47761 -A|sed "s/\.\.\.\.\./\n/g"|egrep -io  broker.* |head -n 10000|sort|uniq  -c|sort -nr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
tcpdump: Unable to write output: Broken pipe
   8842 broker::topic+broker::internal_command+ at u32.bro/known/certs/<$>/data/clone
   1124 broker::topic+broker::internal_command+ at u32.bro/known/hosts/<$>/data/clone
      8 broker::internal_command+ at u32.bro/known/certs/<$>/data/clone
      5 broker::topic+broker::internal_command+@

Justin Azoff

More information about the bro-dev mailing list