On Feb 8, 2013, at 1:50 PM, Vlad Grigorescu <[email protected]> wrote:
> Recently, I've been seeing Bro perform duplicate notice actions. I think this
> commit might have introduced a regression:
> <http://git.bro-ids.org/bro.git/commitdiff/290c2a0b4df2db38ade684cf386a5c9b6b271d9e>
>
>> # The notice policy is completely handled by the manager and shouldn't be
>> # done by workers or proxies to save time for packet processing.
>> -event bro_init() &priority=11
>> - {
>> - Notice::policy = table();
>> - }
>> +redef Notice::policy = table();
I also thought that could have broken the notice de-duplication/suppression,
but it seemed to work in my testing. A simple check is to do `broctl print
Notice::ordered_policy`. If it's empty on all the worker nodes, but populated
for the manager node, then it's still working like I expected and probably
something else is wrong.
> Am I on the right track here? If not, does anyone have any other ideas of
> what might be causing this?
Are you getting 2 of the same exact email as if from both the worker and
manager, or is it just that you get many emails within the suppression interval
for the same "logical" notice $identifier?
And is it for all notice types or just certain ones? If it's certain custom
ones you're creating, can you post examples of how you call NOTICE() to
generate them?
Have you changed any of the "suppression_interval" settings?
Jon
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
