[Bro] Followup Re: "hash-all-files", er, doesn't?

Glenn Forbes Fleming Larratt gl89 at CORNELL.EDU
Tue Dec 9 09:02:30 PST 2014


Dear Seth and everyone,

Thanks for the assistance. It turned out that the configuration was 
seemingly correct, it's just that my installation doesn't really have the 
horsepower to use hash-all-files: over time, I got the several results:

  - (frequent) normal function, no evidence of hash attempts as previously reported;
  - (frequent) crashes every 5 minutes, reducing usefulness to zero;
  - (occasional) checksums in the log files as expected.

For now, I've turned off global file hashing - I may revisit it more 
selectively as I learn.

Thanks again,
-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Fri, 21 Nov 2014, Seth Hall wrote:

>
>> On Nov 21, 2014, at 11:42 AM, Glenn Forbes Fleming Larratt <gl89 at cornell.edu> wrote:
>>
>> I did - my process for rule changes goes:
>>
>>  broctl check manager proxy{rnd} bro{rnd}-{rnd}
>>  broctl install
>>  broctl restart
>
> Have you looked at your loaded_scripts.log to see if the script isn't being loaded for some reason?
>
>>> That script should already be loaded by local.bro too so I'm actually kind of surprised that it wasn't already working?  The result is that out of the box, Bro should be doing MD5 and SHA1 hashes by default when run with BroControl.
>>>
>> A previous maintainer had commented out hash-all-files for performance reasons.
>
> Ah.  For the record, turning that feature off really doesn't change performance all that much (in my informal testing).
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>



More information about the Bro mailing list