OK, so I'm still having problems
I have a small pcap (1.6 MB) with a telnet login to test with, but it
is taking forever for bro to even get to the point of giving me an
error with my policy. I am running bro 1.3.2 with:
bro -r test.pcap -t tracefile.txt local.clear-passwords.bro
which takes around 30 minutes(!?!) to give me a fairly unhelpful error
about my policy. Why is it so slow? In tracefile.txt I only get
stuff from bro.init about opening log files, and in the terminal I
only get the usual stuff from scan.bro about the DNS root servers.
Why is scan.bro even being run? As far as I can see, the policy files
that I am including (see attached) don't depend on it?
I thought the box I was using might be overly taxed with other
software, but I installed it somewhere else with the same slow result.
Bro doesn't even show up in the first page of "top" processes. Is
there some sort of nice-ing going on that I can turn off? Can I tell
it to consume more system resources?
The error bro gives is "parse error at or near event", the line number
is for the "event account_tried" declaration. I'm guessing that I
have a syntax error in my password array, but this process is making
bro_clear_pass_policy.txt (1.22 KB)