[Zeek] Input framework
Justin Azoff
justin at corelight.com
Fri May 22 07:06:00 PDT 2020
Try deleting this part:
event bro_done()
{
Input::remove("file_port_list");
}
On Fri, May 22, 2020 at 6:19 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
>
> Hi Zeek,
>
> Hope you're all doing well.
>
> I am using an Input framework to provide some dynamic input to bro.
> Here's how the infra looks like,
>
> cat /usr/local/bro/share/bro/base/protocols/file_port_list
> #fields port_num
> 60000/tcp
> 8080/tcp
> 49154/tcp
> 55907/tcp
> 49152/tcp
> 49153/tcp
> 8000/tcp
> 5357/tcp
>
>
> type Portsx: record {
> port_num: port;
> };
>
> global file_port_list: set[port] = set();
>
> redef Communication::nodes += {
> ["python"] = [$host = 127.0.0.1, $events = /config_update/, $connect=F, $ssl=F]
> };
>
> event bro_init()
> {
> Input::add_table([$source=file_port_list_loc, $name="file_port_list", $idx=Portsx, $destination=file_port_list]);
> }
>
> event bro_done()
> {
> Input::remove("file_port_list");
> }
>
>
> event config_update()
> {
> Input::force_update("file_port_list");
> }
>
> It works really well. But when I terminate bro process, it goes into defunct state and throws an error on the console.
> Error: received signal while waiting for thread /usr/local/bro/share/bro/base/protocols/file_port_list/Input::READER_ASCII, aborting all ...
>
> Anything am I doing wrong??
>
> Thanks a lot for looking..!!
>
>
> Regards,
> Nabil
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
More information about the Zeek
mailing list