[Bro] Strange behavior with interesting-hostnames.bro

[Azoff, Justin S]

> On Jul 28, 2017, at 11:22 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> Justin,
> 
> Yeah seems like you're right on the money.
> 
> //
> [BroControl] > print SSH::interesting_hostnames
>     manager   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>     proxy-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-2   SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?))|(^?(^ftp[0-9]*\.)$?)/
> //
> 
> I haven't made any changes to the other local files.  They're all empty on the manager/worker nodes.
> 
>> Did you make changes to your local.bro without restarting the entire cluster?
> 
> I've been using broctl deploy or restart mostly.  I did get a crash message from worker-2 once, where I issued broctl restart worker-2 instead of the entire cluster.
> 
> //
> 1501254343.937122 fatal error in /usr/local/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 157: Val::CONST_ACCESSOR (types/string) (/(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/)
> //
> 
> Any ideas?
> 
> Eric
> 

What does a broctl deploy output at this point?  Does your local.bro currently have the redef with the {}'s?  you want it without them.

-- 
- Justin Azoff