[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?

anthony kasza anthony.kasza at gmail.com
Mon Oct 9 16:03:56 PDT 2017 

Here's a solution I hacked up a couple of years back while trying to scan
pcaps for indicators. I believe it's very similar to what Justin replied
with.

https://github.com/anthonykasza/scratch_pad/blob/master/input_for_pcaps/README.md

-AK

On Oct 9, 2017 4:35 PM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:

> > On Oct 9, 2017, at 6:10 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
> >
> > Hello all,
> >
> > I am recently using pybroker to feed some event data to my python
> program. I use the auto_event to do that and read traffic from a pcap file.
> However, it takes some time for the broker to establish the connection with
> my python program but the processing of the traffic starts immediately. As
> a result, the first part of the traffic is always missing in my python
> program. The following is how I set up the connection and the utilize the
> auto_event. I am wondering if there is a way to intentionally delay Bro's
> processing of the pcap file so that the connection can be established
> before Bro start to process the traffic.
> >
> > event bro_init() &priority=5
> > {
> >    Broker::enable();
> >    Broker::connect("127.0.0.1", broker_port, 1sec);
> >    Broker::auto_event("bro/event/packet_get", FlowLevel::packet_get);
> >    Broker::auto_event("bro/event/data_get", DataLevel::data_get);
> > }
> >
> > Any help is appreciated. Thanks a lot.
> >
> > Best,
> > Wenyu
> >
>
> You can try something like this, not sure if it will work though
>
> event resume()
> {
>     continue_processing();
> }
>
> event bro_init() &priority=5
> {
>     # your existing stuff
>     suspend_processing();
>     schedule 10secs { resume() };
> }
>
>
> You may want to look at the suggestion I wrote up here:
>
> http://mailman.icsi.berkeley.edu/pipermail/bro/2017-July/012355.html
>
> Having a 'pcapdir' pktsource plugin would solve a lot of problems like
> this.
>
>> Justin Azoff
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171009/bfa3609c/attachment.html

More information about the Bro mailing list