[Bro] Bro Tor SSL suppression

Siwek, Jonathan Luke jsiwek at illinois.edu
Thu Jul 11 15:03:46 PDT 2013

On Jul 11, 2013, at 4:04 PM, Lou RUPPERT <himself at louruppert.com> wrote:

> 1. Is there a way to get a table loaded via the Input framework on a
> cluster master to be visible by the cluster workers? You'd think
> &synchronized would be the ticket to awesomeness, but all it did was
> shame me.

One idea would be to have the manager feed back the table entries to worker nodes via an even and workers assign the entry in their local tablet.  The manager could raise those events in an Input::update_finished or Input::end_of_data handler (depends on Bro version which to use).

> 2. Is there any nice sample code for hooking into the Software framework
> and logging software? It would be fun to log Tor clients and servers in
> the software log as well, or instead.

Maybe Seth or someone else can point to a particularly helpful example, but `grep -R Software::found scripts/` in the source code is probably what I would reference.

> 3. Is the tunnels log just a log of tunnels bro can bust open and feast
> on the entrails of, or would it be appropriate to log opaque tunnels
> like Tor or VPNs in there too?

Seems appropriate to me.  Calling Tunnel::register() whenever a new tunnel is found should be enough to log/track it.  E.g:

module Tunnel;

redef enum Tunnel::Type += {

event some_event(c: connection)
	Tunnel::register(EncapsulatingConn($cid=c$id, $tunnel_type=Tunnel::VPN, $uid=c$uid));

- Jon

More information about the Bro mailing list