[Bro] Bro hanging on some sensors

Doug Burks doug.burks at gmail.com
Sat Jun 21 13:17:39 PDT 2014 

As a temporary test (perhaps on a non-production machine), could you
comment out the Security-Onion-specific scripts in
/opt/bro/share/bro/site/local.bro and see if that makes any
difference?

#@load securityonion
#@load file-extraction
#@load apt1

I know there were some issues previously with the hostname/interface
scripts in /opt/bro/share/bro/securityonion/ that resulted in a timing
issue.  Some of the issues were fixed, but perhaps some other issues
remain.

On Sat, Jun 21, 2014 at 10:00 AM, Kellogg, Brian D (OLN)
<bkellogg at dresser-rand.com> wrote:
> The other consistent thing I see is that with the Intel framework disabled I'll have to stop and start Bro usually two times before I start seeing all of the logs generated but usually only once. When I have the Intel framework enable I can stop and start Bro a number of times with only those five log files being generated each time.  And again, on some of the sensors Bro will work with the Intel framework enabled and they all are using the same Intel files replicated via the "policy" directory Security Onion replication.
>
>
> ________________________________________
> From: Doug Burks [doug.burks at gmail.com]
> Sent: Wednesday, June 18, 2014 6:55 AM
> To: Kellogg, Brian D (OLN)
> Cc: Mike Reeves; bro
> Subject: Re: [Bro] Bro hanging on some sensors
>
> On Tue, Jun 17, 2014 at 10:30 AM, Kellogg, Brian D (OLN)
> <bkellogg at dresser-rand.com> wrote:
>> The one consistent thing I see is that when I stop, install, and then start
>> Bro, Bro starts ok and all the appropriate logs are created.  If I stop and
>> restart Bro again then the only logs I see in the "current" directory are:
>> communication, loaded_scripts, reporter, stderr, and stdout.
>
> Yep, I've seen this issue before.  I'm not sure if it's an issue with
> the Security-Onion-specific scripts that we load into Bro, or if it
> could be an issue with Bro itself.
>
> Has anybody else seen this issue on a vanilla Bro installation (not
> using Security Onion)?
>
> --
> Doug Burks



-- 
Doug Burks

More information about the Bro mailing list