Bro is running, but ...

Hello everyone,
and happy new year!

I am observing some wired things regarding to bro.

fw1-net1# /usr/local/etc/rc.d/bro.sh checkpoint
bro.rc: Beginning the checkpoint process
bro.rc: No current instance of Bro is running.

fw1-net1# ps -aux | grep bro
root 157 0.0 0.1 1776 1124 ?? I Mon12AM 0:00.01 /bin/sh /usr/local/bro/etc/bro.rc start
root 165 0.0 3.5 40340 36556 ?? S Mon12AM 42:12.20 /usr/local/bro/bin/bro -W -i re1 local.site.bro

I have to kill the bro process and start it again.
I'm running bro 1.1c on FreeBSD 6.2-PRERELEASE.

We have custom rules which react to events using system(), and calling
pfctl to extend specific tables in the firewall ruleset. Everything is working fine, but time to time, lets say one time a week, bro doesn't react as expected. We have logfiles that events ware there but tables are not extended to orign IP addresses.

Does anyone knows what can be wrong or maybe someone observed the same behavior?

The custom site-rule isn't different from conn.bro just triggered on specific traffic.

Regards,
/rl

Have you set the env variable BROHOME?

This script looks for PID of the current bro to kill by looking

Brian Tierney wrote:

Have you set the env variable BROHOME?

This script looks for PID of the current bro to kill by looking
at BRO_RUNTIME_DIR, which is defined in $BROHOME/etc/bro.cfg

Of course, everything is working fine for few days and then happens what I described in my last email.

fw1-net1# ./bro.sh status
Bro is running (pid: 66617)
Autorestart: ON
Running since: Thu Jan 18 04:03:04 UTC 2007
Bro Version: 1.1c
Active log suffix: fw1-net1.07-01-18_04.03.01

I'm now restarting bro using cron for test once a day.

thx,
/rl