[Bro] Losing events associated with Signature Matching

[Shuai Hao]

Hi All,

My Bro program shows a wired behavior. We leverage the signature framework
to capture embedded components in HTTP replies (http-reply-body) as well as
the file download (tcp payload). However, we lose many events associated
with the signature (only around 1/3 shown).

The exactly same program actually runs well on another desktop (capturing
all signature matching we issued). I would be appreciate if anyone can have
a clue on the problem.

The machine running bro is fanless computer with Intel Atom and Ubuntu
16.04. It is almost dedicated to the Bro monitoring so it shouldn't be
performance issue.

The signature matching is quite straightforward: we define some simple
signature patterns, load those signatures to BroControl, and pull some
fields from corresponding log files via a broccoli python client.

We do capture some signature matching events, but also lose many that
should be captured. Those events are not shown in signatures.log; it means
that they are either failure of capturing or dropped by Bro Control, rather
than the problem of python client.

BTW, we use File Analysis to capture the file downloads, it works well as
expected.

Thanks very much for any comments~

Cheers,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170926/1259a337/attachment.html