[Bro] Is there a way to intentionally delay Bro's reading of trace file for something else to finish first?

Ren, Wenyu wren3 at illinois.edu
Tue Oct 10 12:18:23 PDT 2017 

Hi Justin,

Thanks for the reply. That’s also what I planned to do. Do you have any idea what function is used at the python side to close the connection? The toy example in the test folder does not have that part included.

Thanks a lot.

Best,
Wenyu

On Oct 10, 2017, at 8:16 AM, Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>> wrote:



On Oct 9, 2017, at 10:31 PM, Ren, Wenyu <wren3 at illinois.edu<mailto:wren3 at illinois.edu>> wrote:

Hi Anthony and Justin,

Thanks a lot for your solutions. I think using the suspend and continue works. Actually, I have another question about using pybroker. I have a listener in my python program doing something as follows:

  epl = endpoint("listener")
  mql = message_queue("bro/event", epl)
  icsq = epl.incoming_connection_status()

  epl.listen(10007, "127.0.0.1")
  select.select([icsq.fd()],[],[])
  msgs = icsq.want_pop()

  for m in msgs:
      print("incoming connection", m.peer_name, m.status)
      assert(m.peer_name == "connector")
      assert(m.status == incoming_connection_status.tag_established)

  while True:
      select.select([mql.fd()], [], [])
      msgs = mql.want_pop()
      for m in msgs:
          raw_data_queue.put_nowait(m)
          gevent.sleep(0)

I put the listener inside a greenlet which is a coroutine I use for my own purpose. The problem is that I don't know a good way to terminate this python program as soon as the Bro part finishes processing all the trace file. If I just terminate by using Ctrl+C, the current port will not be released and that prevents me from using it in the future. Do you have any good idea about how I should stop this listener and free that port as soon as the Bro stops sending more events?

Best,
Wenyu

You could use the bro_done event to send a "EXIT" message to your python listener telling it that bro is done running and it should exit.

The problem with the port sounds like something is not setting SO_REUSEADDR inside broker.

—
Justin Azoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171010/36b1787c/attachment.html

More information about the Bro mailing list