[Bro] Debugging policy

Greg Lindon greglindon at gmail.com
Mon Jun 23 09:14:37 PDT 2008 

OK, so I'm still having problems :(

I have a small pcap (1.6 MB) with a telnet login to test with, but it
is taking forever for bro to even get to the point of giving me an
error with my policy.  I am running bro 1.3.2 with:

bro -r test.pcap -t tracefile.txt local.clear-passwords.bro

which takes around 30 minutes(!?!) to give me a fairly unhelpful error
about my policy.  Why is it so slow?  In tracefile.txt I only get
stuff from bro.init about opening log files, and in the terminal I
only get the usual stuff from scan.bro about the DNS root servers.
Why is scan.bro even being run?  As far as I can see, the policy files
that I am including (see attached) don't depend on it?

I thought the box I was using might be overly taxed with other
software, but I installed it somewhere else with the same slow result.
 Bro doesn't even show up in the first page of "top" processes.  Is
there some sort of nice-ing going on that I can turn off?  Can I tell
it to consume more system resources?

The error bro gives is "parse error at or near event", the line number
is for the "event account_tried" declaration.  I'm guessing that I
have a syntax error in my password array, but this process is making
debugging slow.

Thoughts?

Greg

On Fri, Jun 20, 2008 at 2:19 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Fri, Jun 20, 2008 at 14:12 -0400, Greg Lindon wrote:
>
>> Thanks guys, that helps.  Robin I'll take a look at the cluster, looks like
>> you have a standalone config in there, so that will have to do for the time
>> being - won't be getting any new boxes in the immediate future to make a
>> real cluster.
>
> Right, that's the idea: the standalone config is for a traditional,
> single-box install. You don't need an actual cluster to use the new
> framework (perhaps we should at some point rename the framework's
> main script from "cluster" to something less specific).
>
> Robin
>
>
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bro_clear_pass_policy.txt
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080623/49fc8232/attachment.txt

More information about the Bro mailing list