[Bro] Bro is running, but ...
Thorolf
ml at grid.einherjar.de
Tue Jan 16 01:53:02 PST 2007
Hello everyone,
and happy new year!
I am observing some wired things regarding to bro.
fw1-net1# /usr/local/etc/rc.d/bro.sh checkpoint
bro.rc: Beginning the checkpoint process
bro.rc: No current instance of Bro is running.
fw1-net1# ps -aux | grep bro
root 157 0.0 0.1 1776 1124 ?? I Mon12AM 0:00.01 /bin/sh
/usr/local/bro/etc/bro.rc start
root 165 0.0 3.5 40340 36556 ?? S Mon12AM 42:12.20
/usr/local/bro/bin/bro -W -i re1 local.site.bro
I have to kill the bro process and start it again.
I'm running bro 1.1c on FreeBSD 6.2-PRERELEASE.
We have custom rules which react to events using system(), and calling
pfctl to extend specific tables in the firewall ruleset. Everything is
working fine, but time to time, lets say one time a week, bro doesn't
react as expected. We have logfiles that events ware there but tables
are not extended to orign IP addresses.
Does anyone knows what can be wrong or maybe someone observed the same
behavior?
The custom site-rule isn't different from conn.bro just triggered on
specific traffic.
Regards,
/rl
More information about the Bro
mailing list