0

I'm using Bro to crunch a whole lot of pcap files, so I want to run a bunch of instances in parallel, but I'm worried that they will trip over each other accessing the persistent state file (.state/state.bst). Is there any way to tell Bro that it should neither read nor write any persistent state, no matter what the scripts might want? I cannot find anything relevant in the manual. Making .state an inaccessible directory has the desired effect, except that (reasonably enough) Bro issues a warning about not being able to get in there, which I would prefer to avoid (I'd have to filter it out at a higher level).

4

1 回答 1

0

据我所知,您目前无法停止使用此目录,但您可以重新定义state_dir变量以将其放在其他位置。您可以方便地在命令行重新定义变量,因此您可以通过以下方式调用 Bro:

bro -r some.pcap state_dir=$(mktemp -d -p . bro.XXXX)

这将使每次运行都使用当前目录中的新状态目录。

可能有一个问题——DNS 管理器似乎有一个硬编码的.state目录,所以如果您的配置使用此功能(即,由 Bro 自己进行的 DNS 查找),上述方法可能不起作用。

于 2018-08-20T21:32:01.020 回答