[Bro] Debugging policy

Vern Paxson vern at icir.org
Mon Jun 23 09:46:13 PDT 2008


> bro -r test.pcap -t tracefile.txt local.clear-passwords.bro
> 
> which takes around 30 minutes(!?!) to give me a fairly unhelpful error
> about my policy.
> ...
>  Bro doesn't even show up in the first page of "top" processes.

Try setting the environment variable BRO_DNS_FAKE to turn off DNS lookups.
Most likely it's simply sitting in a series of long DNS timeouts.

> The error bro gives is "parse error at or near event", the line number
> is for the "event account_tried" declaration.  I'm guessing that I
> have a syntax error in my password array, but this process is making
> debugging slow.

Yes, you don't have a ';' at the end of "global known_pass = { ... }".

		Vern



More information about the Bro mailing list