[Bro] Take action on a notice?

Jesse Bowling jessebowling at gmail.com
Tue Apr 16 08:29:16 PDT 2013


Hi Justin,

In fact my workers have completely stopped processing packets as well; I'll
look at this incantation and see if that works for me. Although I need to
just solve the problem, I thought it might also be a good problem to force
me into delving into the scripting language itself. :)

Cheers,

Jesse


On Tue, Apr 16, 2013 at 9:49 AM, Justin Azoff <JAzoff at albany.edu> wrote:

> On Tue, Apr 16, 2013 at 09:37:06AM -0400, Jesse Bowling wrote:
> > I'm regularly seeing PacketFilter::Dropped_Packets notices in my logs,
> which I
> > believe are related to an issue with the version of PF_RING that I'm
> using. I'm
> > in the midst of getting it upgraded, but in the meantime I'd love to be
> able to
> > take an automated action on these notices (i.e., automatically restart
> the
> > worker process that's dropping packets).
> >
> > I know all the parts for doing this are in the archives somewhere, but
> would
> > someone mind giving me at least the high-level steps? My brogramming is
> nascent
> > at best...
>
> I use this, but it is for restarting workers that have completely
> stopped processing packets:
>
> */5 * * * * root sleep 5 ; grep -s -P "\t0\t0\t0"
> /usr/local/bro/logs/current/capture_loss.log && restart_bro
>
>
> restart_bro is just a script that uses broctl to restart bro and sends
> notifications.
>
>
>
> --
> -- Justin Azoff
> -- Network Security & Performance Analyst
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130416/f70be4e7/attachment.html 


More information about the Bro mailing list