[Bro] "broctl cron" running every 5 mins, and side effects
Azoff, Justin S
jazoff at illinois.edu
Sat Sep 3 09:00:25 PDT 2016
> On Sep 2, 2016, at 9:35 AM, Glenn Forbes Fleming Larratt <gl89 at cornell.edu> wrote:
>
> Can anyone comment on what "broctl cron" is actually doing?
>
> My DNS admin reported to me that, at 5-minute intervals, my six bro hosts
> (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands,
> all forward and reverse lookups of themselves and each other (sample
> appended). It *seems* to be correlated in time with the running of "broctl
> cron".
>
broctl cron primarily checks up on the workers via ssh.
Are you using a bro version earlier than 2.4 ? 2.4 will make one connection per worker box, before that it made one connection for each worker process.
What you are seeing looks like bro < 2.4 plus ssh having UseDns or VerifyReverseMapping enabled.
It's also interesting that bro01 is not one of the names in the output, and bro05 appears 5% as often as 2,3,4 are.
In general you should be running a local caching resolver (unbound,dnsmasq,etc). Things run better across the board when you are caching dns responses locally and not going out to the network for every lookup.
--
- Justin Azoff
More information about the Bro
mailing list