[Bro] Bro is running, but ...
Brian Tierney
bltierney at lbl.gov
Wed Jan 17 09:07:52 PST 2007
Have you set the env variable BROHOME?
This script looks for PID of the current bro to kill by looking
at BRO_RUNTIME_DIR, which is defined in $BROHOME/etc/bro.cfg
Thorolf wrote:
> Hello everyone,
> and happy new year!
>
> I am observing some wired things regarding to bro.
>
> fw1-net1# /usr/local/etc/rc.d/bro.sh checkpoint
> bro.rc: Beginning the checkpoint process
> bro.rc: No current instance of Bro is running.
>
> fw1-net1# ps -aux | grep bro
> root 157 0.0 0.1 1776 1124 ?? I Mon12AM 0:00.01 /bin/sh
> /usr/local/bro/etc/bro.rc start
> root 165 0.0 3.5 40340 36556 ?? S Mon12AM 42:12.20
> /usr/local/bro/bin/bro -W -i re1 local.site.bro
>
> I have to kill the bro process and start it again.
> I'm running bro 1.1c on FreeBSD 6.2-PRERELEASE.
>
> We have custom rules which react to events using system(), and calling
> pfctl to extend specific tables in the firewall ruleset. Everything is
> working fine, but time to time, lets say one time a week, bro doesn't
> react as expected. We have logfiles that events ware there but tables
> are not extended to orign IP addresses.
>
> Does anyone knows what can be wrong or maybe someone observed the same
> behavior?
>
> The custom site-rule isn't different from conn.bro just triggered on
> specific traffic.
>
> Regards,
> /rl
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
------------------------------------------------------------------------
Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL)
1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720
tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558
bltierney at lbl.gov http://www-didc.lbl.gov/~tierney
------------------------------------------------------------------------
More information about the Bro
mailing list