[Bro] Losing events associated with Signature Matching

[Johanna Amann]

Hi,

Since it sounds that the same program runs well on a beefier machnine, I
assume that this is a case of your fanless atom machine not able to keep
up.

Did you check if there is any capture loss? (Packet loss statistics should
be added to notice.log by default).

Johanna

On Tue, Sep 26, 2017 at 03:38:20PM +0000, Shuai Hao wrote:
> Hi All,
> 
> My Bro program shows a wired behavior. We leverage the signature framework
> to capture embedded components in HTTP replies (http-reply-body) as well as
> the file download (tcp payload). However, we lose many events associated
> with the signature (only around 1/3 shown).
> 
> The exactly same program actually runs well on another desktop (capturing
> all signature matching we issued). I would be appreciate if anyone can have
> a clue on the problem.
> 
> The machine running bro is fanless computer with Intel Atom and Ubuntu
> 16.04. It is almost dedicated to the Bro monitoring so it shouldn't be
> performance issue.
> 
> The signature matching is quite straightforward: we define some simple
> signature patterns, load those signatures to BroControl, and pull some
> fields from corresponding log files via a broccoli python client.
> 
> We do capture some signature matching events, but also lose many that
> should be captured. Those events are not shown in signatures.log; it means
> that they are either failure of capturing or dropped by Bro Control, rather
> than the problem of python client.
> 
> BTW, we use File Analysis to capture the file downloads, it works well as
> expected.
> 
> Thanks very much for any comments~
> 
> Cheers,

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro