[Bro] Bro hanging on some sensors

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Tue Jun 17 07:30:22 PDT 2014 

Yep, I run the install prior to the restart.  The format in the files is set by the mal-dnssearch script; I checked the files to ensure they are tab delimited and they are.  I get no errors about Bro not seeing the intel files in the correct format.  I have seen these before when creating our own custom intel file.  Our custom intel file is maintained via a python script to ensure that tab delimiting is always maintained.



The one consistent thing I see is that when I stop, install, and then start Bro, Bro starts ok and all the appropriate logs are created.  If I stop and restart Bro again then the only logs I see in the "current" directory are: communication, loaded_scripts, reporter, stderr, and stdout.



I have the intel config loaded at the very end of the local.bro file if that makes a difference.



There are not errors that I see in reporter.log, stderr.log, or stdout.log as shown below.

drc at nsm-che:/nsm/bro/logs/current$ cat stderr.log

/opt/bro/share/bro/securityonion/./bpfconf.bro, line 103: BPFConf filename set: /etc/nsm/nsm-che-eth0/bpf-bro.conf

/opt/bro/share/bro/securityonion/./bpfconf.bro, line 103: BPFConf filename set: /etc/nsm/nsm-che-eth0/bpf-bro.conf

drc at nsm-che:/nsm/bro/logs/current$ cat stdout.log

unlimited

unlimited

unlimited

drc at nsm-che:/nsm/bro/logs/current$ cat reporter.log

#separator \x09

#set_separator  ,

#empty_field    (empty)

#unset_field    -

#path   reporter

#open   2014-06-17-14-20-55

#fields ts      level   message location

#types  time    enum    string  string

0.000000        Reporter::WARNING       Template value remaining in BPFConf filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf  /opt/bro/share/bro/securityonion/./bpfconf.bro, line 99

0.000000        Reporter::INFO  BPFConf filename set: /etc/nsm/nsm-che-eth0/bpf-bro.conf        /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103

0.000000        Reporter::INFO  BPFConf filename set: /etc/nsm/nsm-che-eth0/bpf-bro.conf        /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103





-----Original Message-----
From: Doug Burks [mailto:doug.burks at gmail.com]
Sent: Tuesday, June 17, 2014 7:00 AM
To: Kellogg, Brian D (OLN)
Cc: Mike Reeves; bro
Subject: Re: [Bro] Bro hanging on some sensors



When you comment out intel feeds, are you installing the new config before restarting?

sudo broctl install

sudo broctl restart



Are you sure your intel feeds are formatted properly?

http://www.bro.org/sphinx-git/frameworks/intel.html



Any other errors or warnings in reporter.log, stderr.log, or stdout.log?



On Fri, Jun 13, 2014 at 11:05 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:

> Thanks

>

>

>

> I’m not seeing any rhyme or reason to this.  I’ve tried commenting out

> one intel feed at a time and the problem will disappear on some

> sensors and start on others.  I’ve commented them all out and enabled

> one at a time with the same results.

>

>

>

> The only thing that works is to disable the intel framework entirely so far.

>

>

>

> From: Mike Reeves [mailto:reevesmk at gmail.com] On Behalf Of Mike Reeves

> Sent: Friday, June 13, 2014 10:33 AM

>

>

> To: Kellogg, Brian D (OLN)

> Cc: Doug Burks; bro

>

> Subject: Re: [Bro] Bro hanging on some sensors

>

>

>

> Bro will sense additions but won’t remove old stuff unless it is

> restarted check out “Putting it all together” in the blog post below.

>

>

>

> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html

>

>

>

>

>

>

>

> On Jun 13, 2014, at 8:59 AM, Kellogg, Brian D (OLN)

> <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:

>

>

>

> Yeah they were working up to about a week ago.  I commented out the

> intel files on one and that fixed it.  Odd, as they should all be the

> same with the replication from the SO server policy directory.  The

> majority of the sensors are working fine with the same intel files and

> I'm seeing new results in ELSA every day.  Hmmm

>

> I do not have Bro restarting via Onion-Salt.  I was under the

> understanding that Bro would periodically sense the file changes and

> re-read the intel files.

>

> Thanks,

> Brian

>

> Thank you,

> Brian Kellogg

> Security Analyst; IT Governance, Risk, and Compliance

> 500 Paul Clark Drive, Olean,  NY 14760

> T: (716) 375-3186 | F: (716) 375-3557

> www.dresser-rand.com<http://www.dresser-rand.com>     NYSE: DRC

>

> Bringing energy and the environment into harmony® IMPORTANT NOTICE:

> This email may be confidential, may be legally privileged, and is for

> the intended recipient only. Unauthorized access, disclosure, copying,

> distribution, or reliance on any of it by anyone else is prohibited

> and may be a criminal offense. Please delete if obtained in error and

> email confirmation to the sender.

>

>

> -----Original Message-----

> From: Doug Burks [mailto:doug.burks at gmail.com]

> Sent: Friday, June 13, 2014 6:56 AM

> To: Kellogg, Brian D (OLN)

> Cc: bro

> Subject: Re: [Bro] Bro hanging on some sensors

>

> Did these sensors work correctly before you added the Intel files?

>

> Have you tried removing the Intel files from the equation?  If not,

> please try commenting out the entries you added to

> /opt/bro/share/bro/site/local.bro and then running:

> sudo broctl install

> sudo broctl restart

>

> Are you running OnionSalt?  Do you have OnionSalt configured to

> automatically restart Bro?  There are known issues with doing so,

> which is why OnionSalt does not do so by default.  Please see:

> https://code.google.com/p/security-onion/wiki/Salt#Features

>

> This may not be an issue strictly related to Bro, so we may need to

> move this conversation to the security-onion mailing list:

> https://code.google.com/p/security-onion/wiki/MailingLists

>

> On Thu, Jun 12, 2014 at 9:00 AM, Kellogg, Brian D (OLN)

> <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:

>

> I use a cron job that runs every 30 minutes to download the intel files to:

> /opt/bro/share/bro/policy/.  The cron job uses the mal-dnssearch script.

>

> In each sensor's /opt/bro/share/bro/site/local.bro file I have the below:

>

> # load intelligence framework

> @load policy/frameworks/intel/seen

> @load policy/frameworks/intel/do_notice #@load

> policy/integration/collective-intel

> redef Intel::read_files += {

>        "/opt/bro/share/bro/policy/xxx.intel",

>        "/opt/bro/share/bro/policy/xxx.intel",

>        "/opt/bro/share/bro/policy/xxx.intel",

>        "/opt/bro/share/bro/policy/xxx.intel",

>        "/opt/bro/share/bro/policy/xxx.intel",

>        "/opt/bro/share/bro/policy/xxx.intel",

> };

>

> In the reporter.log file I am now seeing the below warning on the four

> sensors having this issue:

>    0.000000    Reporter::WARNING       SumStat key request for the

> 3Mntn3EPhU3 SumStat uid took longer than 1 minute and was

> automatically cancelled.

> /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line

> 209

>    0.000000    Reporter::WARNING       SumStat key request for the

> 2HAva5N4Kqf SumStat uid took longer than 1 minute and was

> automatically cancelled.

> /opt/bro/share/bro/base/frameworks/sumstats/./cluster.bro, line

> 209

>

> Thanks,

> Brian

>

>

>

>

> --

> Doug Burks

>

> _______________________________________________

> Bro mailing list

> bro at bro-ids.org<mailto:bro at bro-ids.org>

> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

>

>







--

Doug Burks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140617/f5c77aca/attachment.html

More information about the Bro mailing list