[Bro] ServerFound notices slowed (was DNS logging)

Tyler Schoenke Tyler.Schoenke at colorado.edu
Wed Dec 2 15:45:11 PST 2009


On a possibly related issue, I noticed that I am no longer seeing many 
ServerFound notices.  I used to see a lot of these notices with the 
older 1.4.19, Robin's branch.  The log format also changed around the 
time I stopped seeing the notices.  This was between Sept. 2nd and Sept. 
5th, 2009.

The alarm.log messages through Sept. 2nd looked like this.
Sep  2 12:26:14 ServerFound 128.x.x.x: SSH server on port 2222/tcp

On/after Sept. 5th changed to this format:
Sep  5 05:12:25 no=ServerFound na=NOTICE_ALARM_ALWAYS es=worker-1 
sa=128.x.x.x da=128.y.y.y dp=3919/tcp p=3919/tcp num=32 msg=128.x.x.x:\ 
SSH\ server\ on\ port\ 3919/tcp sub=SSH tag=@c5-2f10-bf17

I think the log format change happened when I switched from a 
stand-alone config to the cluster config with a single worker.  I don't 
understand why the ServerFound detections dropped so dramatically.  I 
went from detecting 261 servers when running stand-alone to only 5 when 
running as a cluster.

In my new cluster config, with the latest trunk, in local-manager.bro, 
[ProtocolDetector::ServerFound] = file_if_remote.  I changed 
file_if_remote to file_notice, but that didn't seem to make a difference.

I also commented ServerFound out of 
cluster-manager.detect-protocols.bro, but that didn't help either.

Any ideas what changed?

Tyler

On 11/12/2009 06:40 PM, Robin Sommer wrote:
>
> On Thu, Nov 12, 2009 at 07:46 -0500, Louis F Ruppert wrote:
>
>> $BROHOME/share/bro/broctl/cluster.dns.bro
>
> Yes, indeed. The cluster config is changing some defaults to values
> which seem to be more reasonable in a large setting. It's of course
> debatable what the definition of "reasonable" here is :-) With DNS
> one gets these huge logs which often aren't very helpful.
>
> So, the general guideline is when you're looking for a specific
> setting, also grep through the cluster's *.bro scripts.
>
>> (who also spent some time trying to figure this out)
>
> Sorry. :)
>
> Robin
>



More information about the Bro mailing list