[Bro] Worker Identification

Donaldson, John donaldson8 at llnl.gov
Fri Nov 21 09:33:19 PST 2014


Matt,

We use something like the below to add worker names to our connection logs


redef record Conn::Info += {
        peer_descr: string &default="unknown" &log;
};

event connection_state_remove(c: connection){
        c$conn$peer_descr = peer_description;
}


John Donaldson

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Matt Clemons
Sent: Friday, November 21, 2014 9:06 AM
To: bro at bro.org
Subject: [Bro] Worker Identification

Lo All,

Is there a way to extend Bro to add a "worker" field in the files.log?  I'd like to know where the packets are being processed.
I'm doing file carving and the carved files are stored locally to each respective worker.  Finding the interface the files crossed is pretty difficult in a large network.

Also, it would be nice to extend other logs to see what traffic is crossing what workers in order to map the network.


Maybe this is already possible, but i couldn't find much, and I'm pretty new at brogramming.

--
Regards,

Matt Clemons
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141121/4a0df92a/attachment.html 


More information about the Bro mailing list