[Bro] Debugging policy
Vern Paxson
vern at icir.org
Mon Jun 23 09:46:13 PDT 2008
> bro -r test.pcap -t tracefile.txt local.clear-passwords.bro
>
> which takes around 30 minutes(!?!) to give me a fairly unhelpful error
> about my policy.
> ...
> Bro doesn't even show up in the first page of "top" processes.
Try setting the environment variable BRO_DNS_FAKE to turn off DNS lookups.
Most likely it's simply sitting in a series of long DNS timeouts.
> The error bro gives is "parse error at or near event", the line number
> is for the "event account_tried" declaration. I'm guessing that I
> have a syntax error in my password array, but this process is making
> debugging slow.
Yes, you don't have a ';' at the end of "global known_pass = { ... }".
Vern
More information about the Bro
mailing list