[Bro] broclient and NOTICE()
Sean McCreary
mccreary at ucar.edu
Wed Feb 18 17:21:56 PST 2009
Robin Sommer wrote:
> On Tue, Feb 17, 2009 at 06:34 +0000, you wrote:
>
>>> 1234849021.842185 run-time error: peer 10000 does not exist
>>> 1234849021.842185 /usr/local/bro/share/bro/notice.bro, line 261 (n$src_peer): internal error: field value missing
>
> Thanks for reporting this, there's already a ticket for it:
> http://tracker.icir.org/bro/ticket/65
>
> I've just added a patch to the ticket, which I hope will fix the
> crash. It will however still report the run-time error. The
> underlying problem is that the function get_event_peer() tries to
> get information about the peer it received the event from, the
> connection to that peer however has already terminated so that the
> information isn't there anymore. That's a race-condition which is
> generally hard to avoid as Bro's event processing is decoupled from
> when an event is raised/received.
>
> One way to work-around such race conditions is sending explicit ack
> events that only terminate a connection once received, making sure
> that all important events have already been processed. bro-client
> however can't do that.
>
> Let me know if the patch works for you (it's against trunk but
> should also work with 1.4).
>
> Robin
Thanks for the patch! I applied it against bro.bif in v1.4, and it
works as expected. When the connection has already terminated it
reports the run-time error, but bro no longer crashes.
More information about the Bro
mailing list