[Bro] ActiveHTTP
Dave Crawford
bro at pingtrip.com
Mon Jan 30 09:34:31 PST 2017
I’ve been able to test this in another environment (Debian 8.7 x64) and unlike OS X where the ActiveHTTP conducts a successful request but then doesn’t enter the when{} block, on Debian it errors with the following written to reporter.log:
$ bro --version
bro version 2.5-30
$ bro b.bro
0.000000 Reporter::ERROR curl -s -g -o "/tmp/bro-activehttp-XMayZ2GFnB6_body" -D "/tmp/bro-activehttp-XMayZ2GFnB6_headers" -X "GET" -m 60 "https://www.google.com/" && touch /tmp/bro-activehttp-XMayZ2GFnB6_body |/Input::READER_RAW: Child process exited with non-zero return code 127 (empty)
0.000000 Reporter::WARNING Stream vqz7bJcG1Pg is already queued for removal. Ignoring remove. (empty)
0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_body/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-XMayZ2GFnB6_body (empty)
0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_body/Input::READER_RAW: Init failed (empty)
0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_body/Input::READER_RAW: terminating thread (empty)
0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_headers/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-XMayZ2GFnB6_headers (empty)
0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_headers/Input::READER_RAW: Init failed (empty)
0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_headers/Input::READER_RAW: terminating thread (empty)
0.000000 Reporter::INFO received termination signal (empty)
#close 2017-01-30-12-26-47
> On Jan 29, 2017, at 5:37 PM, Dave Crawford <bro at pingtrip.com> wrote:
>
> I tried with —pseudo-realtime as well as creating a new PCAP to test with but it still exhibits the same behavior. ActiveHTTP successfully makes the request, and receives a response based other the contents of the temp files, but the when() block is never executed.
>
> The reporter.log only has an event for the termination:
>
> #types time enum string string
> 1485725443.690539 Reporter::INFO received termination signal (empty)
>
> Is anyone able to re-create the same issue or is this limited to my environment?
>
> -Dave
>
>> On Jan 29, 2017, at 12:41 PM, Jan Grashöfer <jan.grashoefer at gmail.com <mailto:jan.grashoefer at gmail.com>> wrote:
>>
>> Hi Dave,
>>
>>> But if I pass it a PCAP it exhibits the same condition where the when loop isn’t entered:
>>>
>>> bro -r test.pcap b.bro
>>
>> my guess would be that reading a pcap causes timing problems. Have you
>> tried processing the pcap using --pseudo-realtime?
>>
>> Jan
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170130/55ac2953/attachment.html
More information about the Bro
mailing list