[Bro] broclient and NOTICE()
Robin Sommer
robin at icir.org
Tue Feb 17 13:37:03 PST 2009
On Tue, Feb 17, 2009 at 06:34 +0000, you wrote:
> > 1234849021.842185 run-time error: peer 10000 does not exist
> > 1234849021.842185 /usr/local/bro/share/bro/notice.bro, line 261 (n$src_peer): internal error: field value missing
Thanks for reporting this, there's already a ticket for it:
http://tracker.icir.org/bro/ticket/65
I've just added a patch to the ticket, which I hope will fix the
crash. It will however still report the run-time error. The
underlying problem is that the function get_event_peer() tries to
get information about the peer it received the event from, the
connection to that peer however has already terminated so that the
information isn't there anymore. That's a race-condition which is
generally hard to avoid as Bro's event processing is decoupled from
when an event is raised/received.
One way to work-around such race conditions is sending explicit ack
events that only terminate a connection once received, making sure
that all important events have already been processed. bro-client
however can't do that.
Let me know if the patch works for you (it's against trunk but
should also work with 1.4).
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list