[Bro] ActiveHTTP
Dave Crawford
bro at pingtrip.com
Sun Jan 29 14:37:30 PST 2017
I tried with —pseudo-realtime as well as creating a new PCAP to test with but it still exhibits the same behavior. ActiveHTTP successfully makes the request, and receives a response based other the contents of the temp files, but the when() block is never executed.
The reporter.log only has an event for the termination:
#types time enum string string
1485725443.690539 Reporter::INFO received termination signal (empty)
Is anyone able to re-create the same issue or is this limited to my environment?
-Dave
> On Jan 29, 2017, at 12:41 PM, Jan Grashöfer <jan.grashoefer at gmail.com> wrote:
>
> Hi Dave,
>
>> But if I pass it a PCAP it exhibits the same condition where the when loop isn’t entered:
>>
>> bro -r test.pcap b.bro
>
> my guess would be that reading a pcap causes timing problems. Have you
> tried processing the pcap using --pseudo-realtime?
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170129/ce8e48a4/attachment.html
More information about the Bro
mailing list