[Bro] Bro hanging on some sensors

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Jun 13 08:05:46 PDT 2014 

Thanks



I'm not seeing any rhyme or reason to this.  I've tried commenting out one intel feed at a time and the problem will disappear on some sensors and start on others.  I've commented them all out and enabled one at a time with the same results.



The only thing that works is to disable the intel framework entirely so far.



From: Mike Reeves [mailto:reevesmk at gmail.com] On Behalf Of Mike Reeves
Sent: Friday, June 13, 2014 10:33 AM
To: Kellogg, Brian D (OLN)
Cc: Doug Burks; bro
Subject: Re: [Bro] Bro hanging on some sensors



Bro will sense additions but won't remove old stuff unless it is restarted check out "Putting it all together" in the blog post below.



http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html







On Jun 13, 2014, at 8:59 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:





Yeah they were working up to about a week ago.  I commented out the intel
files on one and that fixed it.  Odd, as they should all be the same with the
replication from the SO server policy directory.  The majority of the sensors
are working fine with the same intel files and I'm seeing new results in ELSA
every day.  Hmmm

I do not have Bro restarting via Onion-Salt.  I was under the understanding
that Bro would periodically sense the file changes and re-read the intel
files.

Thanks,
Brian

Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean,  NY 14760
T: (716) 375-3186 | F: (716) 375-3557
www.dresser-rand.com<http://www.dresser-rand.com>     NYSE: DRC

Bringing energy and the environment into harmony(r)
IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for the intended recipient only. Unauthorized access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender.


-----Original Message-----
From: Doug Burks [mailto:doug.burks at gmail.com]
Sent: Friday, June 13, 2014 6:56 AM
To: Kellogg, Brian D (OLN)
Cc: bro
Subject: Re: [Bro] Bro hanging on some sensors

Did these sensors work correctly before you added the Intel files?

Have you tried removing the Intel files from the equation?  If not, please try commenting out the entries you added to /opt/bro/share/bro/site/local.bro and then running:
sudo broctl install
sudo broctl restart

Are you running OnionSalt?  Do you have OnionSalt configured to automatically restart Bro?  There are known issues with doing so, which is why OnionSalt does not do so by default.  Please see:
https://code.google.com/p/security-onion/wiki/Salt#Features

This may not be an issue strictly related to Bro, so we may need to move this conversation to the security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

On Thu, Jun 12, 2014 at 9:00 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:



I use a cron job that runs every 30 minutes to download the intel files to:
/opt/bro/share/bro/policy/.  The cron job uses the mal-dnssearch script.

In each sensor's /opt/bro/share/bro/site/local.bro file I have the below:

# load intelligence framework
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice #@load
policy/integration/collective-intel
redef Intel::read_files += {
       "/opt/bro/share/bro/policy/xxx.intel",
       "/opt/bro/share/bro/policy/xxx.intel",
       "/opt/bro/share/bro/policy/xxx.intel",
       "/opt/bro/share/bro/policy/xxx.intel",
       "/opt/bro/share/bro/policy/xxx.intel",
       "/opt/bro/share/bro/policy/xxx.intel",
};

In the reporter.log file I am now seeing the below warning on the four
sensors having this issue:
   0.000000    Reporter::WARNING       SumStat key request for the
3Mntn3EPhU3 SumStat uid took longer than 1 minute and was
automatically cancelled.
/opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
209
   0.000000    Reporter::WARNING       SumStat key request for the
2HAva5N4Kqf SumStat uid took longer than 1 minute and was
automatically cancelled.
/opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line
209

Thanks,
Brian




--
Doug Burks

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140613/d1b9458d/attachment.html

More information about the Bro mailing list