[Bro] ServerFound notices slowed (was DNS logging)

Robin Sommer robin at icir.org
Thu Dec 3 09:48:12 PST 2009 

On Wed, Dec 02, 2009 at 16:45 -0700, you wrote:

> I think the log format change happened when I switched from a  
> stand-alone config to the cluster config with a single worker. 

Yes, the cluster switches to the better parseable log format; the
option for that is "use_tagging" in notice.bro.

(To extend my earlier note about the cluster configuration setting a
few defaults differently: that's the case for a number features we
have added to Bro in the past that are in some way incompatible with
older Bro installations, like changes in log format. We have rarely
turned these on per default to not break anything. The cluster now
flips over some of these switches to get the new behaviour for new
installations. Another example for that are DPD-based conn.logs: the
service field in conn.log is now determined via DPD so you may for
example now see "ssh" there for an SSH session on port 80, while the
standard Bro default would still say "http".) 

There shouldn't be a difference though between broctl's cluster and
standlone modes in this regard. I've just checked this for
use_tagging setting, and that's enabled by default in the standlone
setting as well now; it might not have in earlier versions.

> The alarm.log messages through Sept. 2nd looked like this.
> Sep  2 12:26:14 ServerFound 128.x.x.x: SSH server on port 2222/tcp
>
> On/after Sept. 5th changed to this format:
> Sep  5 05:12:25 no=ServerFound na=NOTICE_ALARM_ALWAYS es=worker-1  
> sa=128.x.x.x da=128.y.y.y dp=3919/tcp p=3919/tcp num=32 msg=128.x.x.x:\  
> SSH\ server\ on\ port\ 3919/tcp sub=SSH tag=@c5-2f10-bf17
>
> understand why the ServerFound detections dropped so dramatically.  I  
> went from detecting 261 servers when running stand-alone to only 5 when  
> running as a cluster.

I don't think the differences in the output format is (directly)
linked to the missing ServerFounds. There must be another reason why
you're seeing less. Have you looked at notice.log whether there are
more ServerFounds in there? If yes, then they are filtered out
somewhere before they reach alarm.log; if not, then they are not
generated in the first place. 

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list