> On Sep 6, 2018, at 4:19 PM, Jon Siwek <jsi...@corelight.com> wrote:
>
> On Thu, Sep 6, 2018 at 3:14 PM Azoff, Justin S <jaz...@illinois.edu> wrote:
>
>
>> I tested an almost stock local.bro (a few additional things disabled) and
>> saw the same thing.
>>
>> fa7fa5aa is fine, but with 452eb0cb everything is working really hard to do
>> something.
>
> Thanks for that, I'll start looking into it, but still would be
> helpful if you could try disabling message forwarding (or disable ssl
> + look at some captured traffic to see if you can understand what
> might be happening). Thanks.
>
> - Jon
Yeah, that fixed it!
I re-enabled that and then disabled ssl and I am looking at the comm stuff
going to the logger, which should just be logs
This seems to work for basic quick analysis:
[root@bro40-dev ~]# tcpdump -n -i em1 port 47761 -A|sed
"s/\.\.\.\.\./\n/g"|egrep -io broker.* |head -n 10000|sort|uniq -c|sort -nr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
tcpdump: Unable to write output: Broken pipe
8842
broker::topic+broker::internal_comma...@u32.bro/known/certs/<$>/data/clone
1124
broker::topic+broker::internal_comma...@u32.bro/known/hosts/<$>/data/clone
8 broker::internal_comma...@u32.bro/known/certs/<$>/data/clone
5 broker::topic+broker::internal_command+@
—
Justin Azoff
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
