[Bro] Bro hanging on some sensors

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Thu Jun 12 06:00:57 PDT 2014


I use a cron job that runs every 30 minutes to download the intel files to:
/opt/bro/share/bro/policy/.  The cron job uses the mal-dnssearch script.

In each sensor's /opt/bro/share/bro/site/local.bro file I have the below:

# load intelligence framework
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
#@load policy/integration/collective-intel
redef Intel::read_files += {
        "/opt/bro/share/bro/policy/xxx.intel",
        "/opt/bro/share/bro/policy/xxx.intel",
        "/opt/bro/share/bro/policy/xxx.intel",
        "/opt/bro/share/bro/policy/xxx.intel",
        "/opt/bro/share/bro/policy/xxx.intel",
        "/opt/bro/share/bro/policy/xxx.intel",
};

In the reporter.log file I am now seeing the below warning on the four sensors
having this issue:
    0.000000    Reporter::WARNING       SumStat key request for the
3Mntn3EPhU3 SumStat uid took longer than 1 minute and was automatically
cancelled.  /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
209
    0.000000    Reporter::WARNING       SumStat key request for the
2HAva5N4Kqf SumStat uid took longer than 1 minute and was automatically
cancelled.  /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
209

Thanks,
Brian




More information about the Bro mailing list