[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?
Azoff, Justin S
jazoff at illinois.edu
Tue Oct 10 06:16:47 PDT 2017
> On Oct 9, 2017, at 10:31 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
>
> Hi Anthony and Justin,
>
> Thanks a lot for your solutions. I think using the suspend and continue works. Actually, I have another question about using pybroker. I have a listener in my python program doing something as follows:
>
> epl = endpoint("listener")
> mql = message_queue("bro/event", epl)
> icsq = epl.incoming_connection_status()
>
> epl.listen(10007, "127.0.0.1")
> select.select([icsq.fd()],[],[])
> msgs = icsq.want_pop()
>
> for m in msgs:
> print("incoming connection", m.peer_name, m.status)
> assert(m.peer_name == "connector")
> assert(m.status == incoming_connection_status.tag_established)
>
> while True:
> select.select([mql.fd()], [], [])
> msgs = mql.want_pop()
> for m in msgs:
> raw_data_queue.put_nowait(m)
> gevent.sleep(0)
>
> I put the listener inside a greenlet which is a coroutine I use for my own purpose. The problem is that I don't know a good way to terminate this python program as soon as the Bro part finishes processing all the trace file. If I just terminate by using Ctrl+C, the current port will not be released and that prevents me from using it in the future. Do you have any good idea about how I should stop this listener and free that port as soon as the Bro stops sending more events?
>
> Best,
> Wenyu
You could use the bro_done event to send a "EXIT" message to your python listener telling it that bro is done running and it should exit.
The problem with the port sounds like something is not setting SO_REUSEADDR inside broker.
—
Justin Azoff
More information about the Bro
mailing list