[Bro] Bro hanging on some sensors

Doug Burks doug.burks at gmail.com
Fri Jun 13 03:55:33 PDT 2014 

Did these sensors work correctly before you added the Intel files?

Have you tried removing the Intel files from the equation?  If not,
please try commenting out the entries you added to
/opt/bro/share/bro/site/local.bro and then running:
sudo broctl install
sudo broctl restart

Are you running OnionSalt?  Do you have OnionSalt configured to
automatically restart Bro?  There are known issues with doing so,
which is why OnionSalt does not do so by default.  Please see:
https://code.google.com/p/security-onion/wiki/Salt#Features

This may not be an issue strictly related to Bro, so we may need to
move this conversation to the security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

On Thu, Jun 12, 2014 at 9:00 AM, Kellogg, Brian D (OLN)
<bkellogg at dresser-rand.com> wrote:
> I use a cron job that runs every 30 minutes to download the intel files to:
> /opt/bro/share/bro/policy/.  The cron job uses the mal-dnssearch script.
>
> In each sensor's /opt/bro/share/bro/site/local.bro file I have the below:
>
> # load intelligence framework
> @load policy/frameworks/intel/seen
> @load policy/frameworks/intel/do_notice
> #@load policy/integration/collective-intel
> redef Intel::read_files += {
>         "/opt/bro/share/bro/policy/xxx.intel",
>         "/opt/bro/share/bro/policy/xxx.intel",
>         "/opt/bro/share/bro/policy/xxx.intel",
>         "/opt/bro/share/bro/policy/xxx.intel",
>         "/opt/bro/share/bro/policy/xxx.intel",
>         "/opt/bro/share/bro/policy/xxx.intel",
> };
>
> In the reporter.log file I am now seeing the below warning on the four sensors
> having this issue:
>     0.000000    Reporter::WARNING       SumStat key request for the
> 3Mntn3EPhU3 SumStat uid took longer than 1 minute and was automatically
> cancelled.  /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
> 209
>     0.000000    Reporter::WARNING       SumStat key request for the
> 2HAva5N4Kqf SumStat uid took longer than 1 minute and was automatically
> cancelled.  /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
> 209
>
> Thanks,
> Brian



-- 
Doug Burks

More information about the Bro mailing list