Bro auto start at boot with Endace cards

MILLER_BRAD_L · July 28, 2015, 7:19pm

My recent Bro config is coming along nicely, but I have run into one issue.

I followed the normal method to start Bro at system boot (added /usr/local/bro/bin/broctl start to /etc/rc.local), but this has resulted in bro crashing due to device dag0:0 being “busy”. I find that two normal Bro processes are already started using this method, but broctl status indicates crashed. Attempts to start Bro fail until I kill the existing Bro PIDs. Once I do that, I can start Bro normally via broctl.

Is this an issue unique to Endace cards? A race condition with Dag load? Any ideas?

Brad Miller | Comerica Bank

Information Security Architecture

IT Security

Office: 248.371.4249 | Mobile: 920.378.8138

Donaldson_John · July 28, 2015, 8:32pm

Brad,

That’s possible, given the amount of time that dagsetup can take to set up the cards. We have Bro start with a normal init script (not in rc.local), but have never had this happen to us, on our 9.2X2 cards.

v/r

Topic		Replies	Views
Endace card native support for Bro Zeek	4	53	May 6, 2022
Best way to autostart local BRO on Mac OS X Zeek	2	143	May 6, 2022
bro won't start -- I've broken something... Zeek	2	56	May 6, 2022
Endace support in use? Zeek	6	45	May 6, 2022
Start Problem Zeek	2	77	May 6, 2022

Bro auto start at boot with Endace cards

Related Topics