[Bro] Scheduling events are immediatly executed
Robin Sommer
robin at icir.org
Thu Dec 10 12:33:30 PST 2015
On Thu, Dec 10, 2015 at 17:21 +0100, Dirk Leinenbach wrote:
> Is there any work around / best practice on how such situations can be
> handled in tests?
Bro normally terminates once it has read the whole trace. You can
prevent that by setting exit_only_after_terminate to true; then it
will keep running (and proecessing other input) until you call the
built-in function terminate(). You can see this in the input framework
tests in testing/btest/scripts/base/frameworks/input.
The other piece to this (and the original question) is that it's a
fundamental challenge to process a trace while also doing things that
happen in real-time (input framework, but also any communication with
external processes). Bro can read a trace much more quickly than it
would normally process the same traffic during live operation, meaning
it will get out of sync with any other activity still happening "just"
in real time.
There's a work-around for testing purposes: Bro has a switch
"--pseudo-realtime" that articifially delays processing a trace: after
reading each packet, it inserts a delay corresponding to the timestamp
gap to the next packet. In that way, it "simulates" real-time
processing by not getting head of what a live Bro would do. For
example, the test
testing/btest//scripts/policy/protocols/ssl/validate-certs-cluster.bro
uses this to set up a Bro cluster of multiple processes for X509 cert
validation while reading the input from a trace.
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list