[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?

Johanna Amann johanna at icir.org
Tue Oct 10 09:52:17 PDT 2017 

I just wanted to point out that the Bro unit tests themselves also use an
approach like this.

See for example
https://github.com/bro/bro/blob/master/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro

Johanna

On Mon, Oct 09, 2017 at 11:03:56PM +0000, anthony kasza wrote:
> Here's a solution I hacked up a couple of years back while trying to scan
> pcaps for indicators. I believe it's very similar to what Justin replied
> with.
> 
> https://github.com/anthonykasza/scratch_pad/blob/master/input_for_pcaps/README.md
> 
> -AK
> 
> On Oct 9, 2017 4:35 PM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
> 
> > > On Oct 9, 2017, at 6:10 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
> > >
> > > Hello all,
> > >
> > > I am recently using pybroker to feed some event data to my python
> > program. I use the auto_event to do that and read traffic from a pcap file.
> > However, it takes some time for the broker to establish the connection with
> > my python program but the processing of the traffic starts immediately. As
> > a result, the first part of the traffic is always missing in my python
> > program. The following is how I set up the connection and the utilize the
> > auto_event. I am wondering if there is a way to intentionally delay Bro's
> > processing of the pcap file so that the connection can be established
> > before Bro start to process the traffic.
> > >
> > > event bro_init() &priority=5
> > > {
> > >    Broker::enable();
> > >    Broker::connect("127.0.0.1", broker_port, 1sec);
> > >    Broker::auto_event("bro/event/packet_get", FlowLevel::packet_get);
> > >    Broker::auto_event("bro/event/data_get", DataLevel::data_get);
> > > }
> > >
> > > Any help is appreciated. Thanks a lot.
> > >
> > > Best,
> > > Wenyu
> > >
> >
> > You can try something like this, not sure if it will work though
> >
> > event resume()
> > {
> >     continue_processing();
> > }
> >
> > event bro_init() &priority=5
> > {
> >     # your existing stuff
> >     suspend_processing();
> >     schedule 10secs { resume() };
> > }
> >
> >
> > You may want to look at the suggestion I wrote up here:
> >
> > http://mailman.icsi.berkeley.edu/pipermail/bro/2017-July/012355.html
> >
> > Having a 'pcapdir' pktsource plugin would solve a lot of problems like
> > this.
> >
> > —
> > Justin Azoff
> >
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list