[Bro] Clarification needed

Clark, Gilbert gc355804 at ohio.edu
Fri Sep 19 17:12:56 PDT 2014 

Neither timers (schedule blocks) nor triggers block execution.  Instead, when bro sees a timer / trigger, it just makes a note of it and moves on to the next line of code it sees.  In the case of the timer described below, bro would keep doing other stuff for 1 second before eventually coming back to execute the code in the { }.  In the case of the typo, bro would keep doing other stuff for 10 seconds before eventually coming back to execute the code in the { }. 

Triggers operate in a similar fashion to timers, except that the conditions for *every* trigger are evaluated at least once / every packet bro observes.  In general, this means that *every registered trigger* is going to add per-packet overhead, so there's a pretty good argument to be made that relatively few triggers should be active at once.

Also, as far as I know, exit_only_after_terminate is a global flag that will simply request that bro wait to exit until there's an explicit request to do so [1].  It shouldn't really have any impact on bro's execution otherwise: it's only there to allow operations with longer execution times to complete before bro actually exits.  

As a note, there are actually relatively few blocking calls supported by bro just because blocking script execution for any reason is going to eat through queue space *incredibly* quickly (and likely lead to burst losses).

HTH,
Gilbert

[1] http://comments.gmane.org/gmane.comp.security.detection.bro/5998

From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of PeLo <phrackmod at gmail.com>
Sent: Friday, September 19, 2014 4:44 PM
To: Seth Hall
Cc: bro at bro.org
Subject: Re: [Bro] Clarification needed
  




​​
Regarding the Schedule statement used in the code, I see that the execution is halted until the specified time expires. Since Bro executes all the event handlers in a FIFO style, if by mistake I wrote a schedule statement with a time interval of say 10 sec, will this  then block the execution all the event handlers in the queue thereby delaying the whole process??



​- Pelo​

On Sat, Sep 20, 2014 at 1:49 AM, Seth Hall  <seth at icir.org> wrote:
 
On Sep 19, 2014, at 3:43 PM, PeLo <phrackmod at gmail.com> wrote:

>       ### Error occurs here
>       ### Error Output
>       ### ============
>       ### error : type clash (addr and {74.125.236.213,2404:6800:4007:803::1015})
>       ### error : type mismatch ({74.125.236.213,2404:6800:4007:803::1015} and addr)
>
>       local google_ips: set[addr] = {  mail.google.com, maps.google.com, youtube.com };
>       for (i in google_ips)   print(i);

Ugh, I suspect this has something to do with using the "{ }" constructor syntax somewhere that it shouldn't be used.  I.e., you've encountered a wart.

>       ### No errors and output here
>       ### Anything wrong with the code???

You have an issue where you are trying to synchronously access data from asynchronous operations. :)

When statements return immediately and the body only executes after the condition becomes true.  You are printing before you've actually gotten a response from the DNS server.  Let me try restructuring your code a bit...

         http://try.bro.org/#/trybro/saved/89b6a856-c785-4cea-bfc3-206947bc054a

Does that explain it a bit better?



  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list