[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?

Johanna Amann johanna at icir.org
Tue Oct 10 09:48:51 PDT 2017 

Just to point out one thing to prevent future annoyance on your part -
broker is currently getting a re-write which includes changed python APIs.

The new version of Broker will be used in Bro 2.6 and the old API will no
longer work. The current state is not yet merged into master, but you can
look at topic/actor-system of the broker repository; the best point
probably are the tests in
https://github.com/bro/broker/tree/topic/actor-system/tests/python

It might be worth to take a short look at the new syntax just so that you
know how you might have to adapt things in the future.

Johanna

On Tue, Oct 10, 2017 at 01:16:47PM +0000, Azoff, Justin S wrote:
> 
> 
> > On Oct 9, 2017, at 10:31 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
> > 
> > Hi Anthony and Justin,
> > 
> > Thanks a lot for your solutions. I think using the suspend and continue works. Actually, I have another question about using pybroker. I have a listener in my python program doing something as follows:
> > 
> >    epl = endpoint("listener")
> >    mql = message_queue("bro/event", epl)
> >    icsq = epl.incoming_connection_status()
> > 
> >    epl.listen(10007, "127.0.0.1")
> >    select.select([icsq.fd()],[],[])
> >    msgs = icsq.want_pop()
> > 
> >    for m in msgs:
> >        print("incoming connection", m.peer_name, m.status)
> >        assert(m.peer_name == "connector")
> >        assert(m.status == incoming_connection_status.tag_established)
> > 
> >    while True:
> >        select.select([mql.fd()], [], [])
> >        msgs = mql.want_pop()
> >        for m in msgs:
> >            raw_data_queue.put_nowait(m)
> >            gevent.sleep(0)
> > 
> > I put the listener inside a greenlet which is a coroutine I use for my own purpose. The problem is that I don't know a good way to terminate this python program as soon as the Bro part finishes processing all the trace file. If I just terminate by using Ctrl+C, the current port will not be released and that prevents me from using it in the future. Do you have any good idea about how I should stop this listener and free that port as soon as the Bro stops sending more events?
> > 
> > Best,
> > Wenyu
> 
> You could use the bro_done event to send a "EXIT" message to your python listener telling it that bro is done running and it should exit.
> 
> The problem with the port sounds like something is not setting SO_REUSEADDR inside broker.
> 
>> Justin Azoff
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list