Recently, I've been seeing Bro perform duplicate notice actions. I think this commit might have introduced a regression: <http://git.bro-ids.org/bro.git/commitdiff/290c2a0b4df2db38ade684cf386a5c9b6b271d9e>
> # The notice policy is completely handled by the manager and shouldn't be
> # done by workers or proxies to save time for packet processing.
> -event bro_init() &priority=11
> - {
> - Notice::policy = table();
> - }
> +redef Notice::policy = table();
Specifically, reading from the commit that fixed the duplicate notice action
issue
(<http://git.bro-ids.org/bro.git/commitdiff/53d9832d5adb526bf80f1d225a13941c7d05bdb2>):
> The problem was that Notice::policy is used to populate the internal
> Notice::ordered_policy vector in a priority 10 bro_init handler (in
> scripts/base/frameworks/notice/main.bro) and then that is what is used when
> applying policy to notices. In order for
> scripts/base/frameworks/notice/cluster.bro to prevent Notice::policy from
> being used on non-manager nodes, it needs to clear it in a bro_init hander of
> higher priority than 10.
Am I on the right track here? If not, does anyone have any other ideas of what
might be causing this?
Thanks,
--Vlad
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
