[Bro] ActiveHTTP
Dave Crawford
bro at pingtrip.com
Mon Jan 30 09:47:46 PST 2017
Ok, scratch that error message. The box I was testing on didn’t have curl installed. After installing curl the test script has the same behavior as when run on OS X. Work great by itself but hangs before the when{} block if passed a PCAP.
> On Jan 30, 2017, at 12:34 PM, Dave Crawford <bro at pingtrip.com> wrote:
>
> I’ve been able to test this in another environment (Debian 8.7 x64) and unlike OS X where the ActiveHTTP conducts a successful request but then doesn’t enter the when{} block, on Debian it errors with the following written to reporter.log:
>
> $ bro --version
> bro version 2.5-30
>
> $ bro b.bro
>
> 0.000000 Reporter::ERROR curl -s -g -o "/tmp/bro-activehttp-XMayZ2GFnB6_body" -D "/tmp/bro-activehttp-XMayZ2GFnB6_headers" -X "GET" -m 60 "https://www.google.com/ <https://www.google.com/>" && touch /tmp/bro-activehttp-XMayZ2GFnB6_body |/Input::READER_RAW: Child process exited with non-zero return code 127 (empty)
> 0.000000 Reporter::WARNING Stream vqz7bJcG1Pg is already queued for removal. Ignoring remove. (empty)
> 0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_body/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-XMayZ2GFnB6_body (empty)
> 0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_body/Input::READER_RAW: Init failed (empty)
> 0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_body/Input::READER_RAW: terminating thread (empty)
> 0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_headers/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-XMayZ2GFnB6_headers (empty)
> 0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_headers/Input::READER_RAW: Init failed (empty)
> 0.000000 Reporter::ERROR /tmp/bro-activehttp-XMayZ2GFnB6_headers/Input::READER_RAW: terminating thread (empty)
> 0.000000 Reporter::INFO received termination signal (empty)
> #close 2017-01-30-12-26-47
>
>
>> On Jan 29, 2017, at 5:37 PM, Dave Crawford <bro at pingtrip.com <mailto:bro at pingtrip.com>> wrote:
>>
>> I tried with —pseudo-realtime as well as creating a new PCAP to test with but it still exhibits the same behavior. ActiveHTTP successfully makes the request, and receives a response based other the contents of the temp files, but the when() block is never executed.
>>
>> The reporter.log only has an event for the termination:
>>
>> #types time enum string string
>> 1485725443.690539 Reporter::INFO received termination signal (empty)
>>
>> Is anyone able to re-create the same issue or is this limited to my environment?
>>
>> -Dave
>>
>>> On Jan 29, 2017, at 12:41 PM, Jan Grashöfer <jan.grashoefer at gmail.com <mailto:jan.grashoefer at gmail.com>> wrote:
>>>
>>> Hi Dave,
>>>
>>>> But if I pass it a PCAP it exhibits the same condition where the when loop isn’t entered:
>>>>
>>>> bro -r test.pcap b.bro
>>>
>>> my guess would be that reading a pcap causes timing problems. Have you
>>> tried processing the pcap using --pseudo-realtime?
>>>
>>> Jan
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170130/592bb640/attachment-0001.html
More information about the Bro
mailing list