"hash-all-files", er, doesn't?

Zeek
1

Folks,

Fairly new bro user, still figuring things out.

I recent changed my local.bro file to call hash-all-files, viz.:

2

Did you run the "install" command in BroControl? Running the install command will essentially stage any changes that you've made to scripts so that the next time things start up they are running the changes you've made. You can imagine if the install command wasn't there it could be bad in the event that something crashed and was restarted while you were changing a script and the one process started running your changes or your script had a syntax error and the process couldn't even start up.

That script should already be loaded by local.bro too so I'm actually kind of surprised that it wasn't already working? The result is that out of the box, Bro should be doing MD5 and SHA1 hashes by default when run with BroControl.

  .Seth

4

I did - my process for rule changes goes:

broctl check manager proxy{rnd} bro{rnd}-{rnd}
broctl install
broctl restart

Have you looked at your loaded_scripts.log to see if the script isn't being loaded for some reason?

That script should already be loaded by local.bro too so I'm actually kind of surprised that it wasn't already working? The result is that out of the box, Bro should be doing MD5 and SHA1 hashes by default when run with BroControl.

A previous maintainer had commented out hash-all-files for performance reasons.

Ah. For the record, turning that feature off really doesn't change performance all that much (in my informal testing).

  .Seth

5

Dear Seth and everyone,

Thanks for the assistance. It turned out that the configuration was seemingly correct, it's just that my installation doesn't really have the horsepower to use hash-all-files: over time, I got the several results:

  - (frequent) normal function, no evidence of hash attempts as previously reported;
  - (frequent) crashes every 5 minutes, reducing usefulness to zero;
  - (occasional) checksums in the log files as expected.

For now, I've turned off global file hashing - I may revisit it more selectively as I learn.

Thanks again,