[Zeek] Input framework
Nabil Memon
nabilmemon.ec at gmail.com
Thu May 28 02:27:58 PDT 2020
Hi Jon,
Even in the latest zeek version which is 3.1.3, it reaches 100% when I
integrate Input framework,
*cat /tmp/file_port_list *
#fields port_num
60000/tcp
8080/tcp
49154/tcp
55907/tcp
49152/tcp
49153/tcp
8000/tcp
5357/tcp
80/tcp
*cat test.zeek*
global file_port_list: set[port] = set();
global file_port_list_loc: string = "/tmp/file_port_list";
type Portsx: record {
port_num: port;
};
event zeek_init() &priority=5
{
suspend_processing();
Input::add_table([$source=file_port_list_loc, $name="file_port_list",
$idx=Portsx, $destination=file_port_list]);
Input::remove("file_port_list");
}
Regards,
Nabil
On Tue, May 26, 2020 at 11:05 PM Nabil Memon <nabilmemon.ec at gmail.com>
wrote:
> I am using 2.6.x version.
>
> On Tue, 26 May, 2020, 10:53 pm Jon Siwek, <jsiwek at corelight.com> wrote:
>
>> On Tue, May 26, 2020 at 8:47 AM Nabil Memon <nabilmemon.ec at gmail.com>
>> wrote:
>>
>> > I got caught up in some other side effect. Bro's CPU usage goes 100%
>> when I use input framework
>>
>> What version are you using? You should try comparing against one of
>> the latest 3.0.x or 3.1.x releases since there's specifically things
>> addressed in them that might explain that behavior. E.g.
>> https://github.com/zeek/broker/pull/97
>>
>> - Jon
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200528/737d061d/attachment.html
More information about the Zeek
mailing list