[Bro] Surprising behavior when reading packets from file vs interface.

Jim Mellander jmellander at lbl.gov
Thu Sep 23 15:28:47 PDT 2010


In the course of testing a broccoli-enabled bro policy, I discovered a
surprising behavior, and a workaround.

My broccoli app runs in an event loop, waiting for bro events, and
sending back events of its own to bro.

When running bro listening to an interface, it binds to the broccoli
port, and the broccoli app communicates with bro as expected.
Running 'bro -r' with a tracefile, however, causes bro to not bind to
the broccoli port, thus not communicating with the app - verified
w/netstat.

This snippet from RemoteSerialier.cc appears to be the issue:
 if ( reading_traces && ! pseudo_realtime )
      {
      using_communication = 0;
      return;
      }


Accordingly, I used the --pseudo-realtime flag to bro, which caused it
to bind to the port as expected, when reading tracefiles.

However, I'm not sure this behavior is optimal - there are a number of
bro applications now that may not need to listen to an interface (or
to a file, for that matter), but are strictly broccoli event driven,
for instance those which are strictly driven by syslog events.
Perhaps there could be a flag to force bro to bind to the broccoli
ports.  Are there other options?

I would appreciate any opinions/comments.



More information about the Bro mailing list