[Bro] Bro hanging on some sensors
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Thu Jun 12 06:00:57 PDT 2014
I use a cron job that runs every 30 minutes to download the intel files to:
/opt/bro/share/bro/policy/. The cron job uses the mal-dnssearch script.
In each sensor's /opt/bro/share/bro/site/local.bro file I have the below:
# load intelligence framework
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
#@load policy/integration/collective-intel
redef Intel::read_files += {
"/opt/bro/share/bro/policy/xxx.intel",
"/opt/bro/share/bro/policy/xxx.intel",
"/opt/bro/share/bro/policy/xxx.intel",
"/opt/bro/share/bro/policy/xxx.intel",
"/opt/bro/share/bro/policy/xxx.intel",
"/opt/bro/share/bro/policy/xxx.intel",
};
In the reporter.log file I am now seeing the below warning on the four sensors
having this issue:
0.000000 Reporter::WARNING SumStat key request for the
3Mntn3EPhU3 SumStat uid took longer than 1 minute and was automatically
cancelled. /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
209
0.000000 Reporter::WARNING SumStat key request for the
2HAva5N4Kqf SumStat uid took longer than 1 minute and was automatically
cancelled. /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
209
Thanks,
Brian
More information about the Bro
mailing list