[Bro] Scheduling events are immediatly executed

Dirk Leinenbach dirk.leinenbach at consistec.de
Thu Dec 10 08:21:22 PST 2015 

Hi all,

is Bro's event schedule depending on "input" from the network / trace 
file? I.e., does it stop processing ASCII reader input if there's no 
more network activity?

This might not be a big deal in production rollouts when bro is listing 
to real network interfaces, but in test scenarios (with btest) it looks 
to me as if bro stops processing other input, once the pcap files have 
been consumed completely. Is there any work around / best practice on 
how such situations can be handled in tests?

Thanks for your help!

Dirk

On 09.12.2015 08:51, Jan Muthreich wrote:
> Thank you. I have an Input READER_ASCII in use, which need Input::force_update. It reads from a linux pipe. How can we schedule this operation if no network traffic is in the line?
>
> Mit freundlichen Grüßen
> Jan Muthreich
>
> -----Original Message-----
> From: Robin Sommer [mailto:robin at icir.org]
> Sent: Tuesday, December 8, 2015 5:23 PM
> To: Jan Muthreich <jan.muthreich at consistec.de>
> Cc: bro at bro.org
> Subject: Re: [Bro] Scheduling events are immediatly executed
>
>
>
> On Tue, Dec 08, 2015 at 15:35 +0000, Jan Muthreich wrote:
>
>> I'm working with BRO and have a problem. I want to use scheduling but
>> it doesn't seem to work. Alle tests, that I wrote, are immidiatly
>> ready.
> One thing to keep in mind for schedule is that it's relative to "network time", i.e., the packet timestamps in the trace. When you say 100s, it's not going to wait for 100s of wall clock time to pass, but will trigger the event once the packet timestmaps have covered 100s.
> When working offline from a trace, like in your case, that often feels like "immediately" if the input is short. Could that be it?
>
> Robin
>
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Dr.-Ing. Dirk Leinenbach - Leitung Softwareentwicklung
consistec Engineering & Consulting GmbH
------------------------------------------------------------------

Europaallee 5                      Fon:   +49 (0)681 / 959044-0
D-66113 Saarbrücken                Fax:   +49 (0)681 / 959044-11
http://www.consistec.de            e-mail: dirk.leinenbach at consistec.de

Registergericht: Amtsgericht Saarbrücken
Registerblatt:   HRB12003
Geschäftsführer: Dr. Thomas Sinnwell, Volker Leiendecker, Stefan Sinnwell

More information about the Bro mailing list