Losing events associated with Signature Matching

Hi All,

My Bro program shows a wired behavior. We leverage the signature framework to capture embedded components in HTTP replies (http-reply-body) as well as the file download (tcp payload). However, we lose many events associated with the signature (only around 1/3 shown).

The exactly same program actually runs well on another desktop (capturing all signature matching we issued). I would be appreciate if anyone can have a clue on the problem.

The machine running bro is fanless computer with Intel Atom and Ubuntu 16.04. It is almost dedicated to the Bro monitoring so it shouldn’t be performance issue.

The signature matching is quite straightforward: we define some simple signature patterns, load those signatures to BroControl, and pull some fields from corresponding log files via a broccoli python client.

We do capture some signature matching events, but also lose many that should be captured. Those events are not shown in signatures.log; it means that they are either failure of capturing or dropped by Bro Control, rather than the problem of python client.

BTW, we use File Analysis to capture the file downloads, it works well as expected.

Thanks very much for any comments~



Since it sounds that the same program runs well on a beefier machnine, I
assume that this is a case of your fanless atom machine not able to keep

Did you check if there is any capture loss? (Packet loss statistics should
be added to notice.log by default).