[Bro] Cluster state synchronization

anthony kasza anthony.kasza at gmail.com
Mon Oct 6 12:54:32 PDT 2014

I'm not sure about forcing synchronization. In reply to your question about
sleep, you may want to look at scriptland's suspend_processing() and

On Oct 6, 2014 11:06 AM, "Damian Gerow" <damian.gerow at shopify.com> wrote:

> I'm having some troubles wrapping my head around synchronization of set
> values in a cluster.
> We use a relatively simple bro script that correlates sets of
> whitelisted/blacklisted DNS names with new connections.  To accomplish
> this, we have sets that are just the IP addresses returned by DNS lookups,
> which we then use to check against new connections.
> i.e. Host "foo.internal" looks up "blacklist.example.com", and receives
> response "".  Bro then adds IP address "" to the set named
> "blacklisted_ips".  "foo.internal" then proceeds to contact "" on
> TCP/443.  Bro looks up "" in "blacklisted_ips" and, as there is a
> match, raises a notice.
> After migrating from a standalone to a single-node cluster configuration
> (manager, proxy, worker), it now appears as though the sets containing IP
> addresses are updated after the TCP connection is initialized.  As a
> result, our notice log is now growing with entries that should never have
> been raised in the first place, and is missing entries that should have
> been raised.
> Does this theory make sense?  Is there a way to speed up set
> additions/removals, or otherwise force synchronization whenever a
> modification is made, before processing any further traffic?
> Alternatively, does the Bro scripting language have any concept of a
> 'sleep'?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141006/e5ca0cc5/attachment.html 

More information about the Bro mailing list