[Zeek] Input framework

Jon Siwek jsiwek at corelight.com
Thu May 28 09:34:35 PDT 2020


Are you missing a matching call to `continue_processing()` ?

event Input::end_of_data(name: string, source: string)
    {
    if ( name == "file_port_list" )
        continue_processing();
    }

- Jon

On Thu, May 28, 2020 at 2:28 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
>
> Hi Jon,
>
> Even in the latest zeek version which is 3.1.3, it reaches 100% when I integrate Input framework,
>
> cat  /tmp/file_port_list
> #fields port_num
> 60000/tcp
> 8080/tcp
> 49154/tcp
> 55907/tcp
> 49152/tcp
> 49153/tcp
> 8000/tcp
> 5357/tcp
> 80/tcp
>
> cat test.zeek
> global file_port_list: set[port] = set();
> global file_port_list_loc: string = "/tmp/file_port_list";
> type Portsx: record {
>   port_num: port;
> };
> event zeek_init() &priority=5
> {
>   suspend_processing();
>   Input::add_table([$source=file_port_list_loc, $name="file_port_list", $idx=Portsx, $destination=file_port_list]);
>   Input::remove("file_port_list");
> }
>
> Regards,
> Nabil
>
>
> On Tue, May 26, 2020 at 11:05 PM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
>>
>> I am using 2.6.x version.
>>
>> On Tue, 26 May, 2020, 10:53 pm Jon Siwek, <jsiwek at corelight.com> wrote:
>>>
>>> On Tue, May 26, 2020 at 8:47 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
>>>
>>> > I got caught up in some other side effect. Bro's CPU usage goes 100% when I use input framework
>>>
>>> What version are you using?  You should try comparing against one of
>>> the latest 3.0.x or 3.1.x releases since there's specifically things
>>> addressed in them that might explain that behavior.  E.g.
>>> https://github.com/zeek/broker/pull/97
>>>
>>> - Jon


More information about the Zeek mailing list