[Bro] Bro hanging on some sensors

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Sat Jun 21 15:54:17 PDT 2014


Commenting out apt1 seems to make it more reliable.  I can at least load one
intel file now; sometimes two.

The odd thing is that the more I play with this the more unreliable it gets.
I thought I saw a pattern at one point as I commented out securityonion and
that allowed me to load two intel files.  I then uncommented securityonion and
it still worked with two intel files.  The it once worked with four intel
files. I then tried to add a fifth and that broke it.  So I went back to four
and Bro would still not generate more than the five log files.  Then I was
back to two intel files to get Bro working after a couple more restarts.  Then
I uncommented apt1 and it still worked with two intel files loaded.

So far, the most reliable way of getting an intel file loaded is by commenting out apt1 and only enabling one intel file.


-----Original Message-----
From: Doug Burks [mailto:doug.burks at gmail.com]
Sent: Saturday, June 21, 2014 4:18 PM
To: Kellogg, Brian D (OLN)
Cc: bro
Subject: Re: [Bro] Bro hanging on some sensors

As a temporary test (perhaps on a non-production machine), could you comment out the Security-Onion-specific scripts in /opt/bro/share/bro/site/local.bro and see if that makes any difference?

#@load securityonion
#@load file-extraction
#@load apt1

I know there were some issues previously with the hostname/interface scripts in /opt/bro/share/bro/securityonion/ that resulted in a timing issue.  Some of the issues were fixed, but perhaps some other issues remain.

On Sat, Jun 21, 2014 at 10:00 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
> The other consistent thing I see is that with the Intel framework disabled I'll have to stop and start Bro usually two times before I start seeing all of the logs generated but usually only once. When I have the Intel framework enable I can stop and start Bro a number of times with only those five log files being generated each time.  And again, on some of the sensors Bro will work with the Intel framework enabled and they all are using the same Intel files replicated via the "policy" directory Security Onion replication.
>
>
> ________________________________________
> From: Doug Burks [doug.burks at gmail.com]
> Sent: Wednesday, June 18, 2014 6:55 AM
> To: Kellogg, Brian D (OLN)
> Cc: Mike Reeves; bro
> Subject: Re: [Bro] Bro hanging on some sensors
>
> On Tue, Jun 17, 2014 at 10:30 AM, Kellogg, Brian D (OLN)
> <bkellogg at dresser-rand.com> wrote:
>> The one consistent thing I see is that when I stop, install, and then
>> start Bro, Bro starts ok and all the appropriate logs are created.
>> If I stop and restart Bro again then the only logs I see in the "current" directory are:
>> communication, loaded_scripts, reporter, stderr, and stdout.
>
> Yep, I've seen this issue before.  I'm not sure if it's an issue with
> the Security-Onion-specific scripts that we load into Bro, or if it
> could be an issue with Bro itself.
>
> Has anybody else seen this issue on a vanilla Bro installation (not
> using Security Onion)?
>
> --
> Doug Burks



--
Doug Burks




More information about the Bro mailing list