[Bro] Cluster state synchronization
anthony.kasza at gmail.com
Mon Oct 6 12:54:32 PDT 2014
I'm not sure about forcing synchronization. In reply to your question about
sleep, you may want to look at scriptland's suspend_processing() and
On Oct 6, 2014 11:06 AM, "Damian Gerow" <damian.gerow at shopify.com> wrote:
> I'm having some troubles wrapping my head around synchronization of set
> values in a cluster.
> We use a relatively simple bro script that correlates sets of
> whitelisted/blacklisted DNS names with new connections. To accomplish
> this, we have sets that are just the IP addresses returned by DNS lookups,
> which we then use to check against new connections.
> i.e. Host "foo.internal" looks up "blacklist.example.com", and receives
> response "10.0.0.1". Bro then adds IP address "10.0.0.1" to the set named
> "blacklisted_ips". "foo.internal" then proceeds to contact "10.0.0.1" on
> TCP/443. Bro looks up "10.0.0.1" in "blacklisted_ips" and, as there is a
> match, raises a notice.
> After migrating from a standalone to a single-node cluster configuration
> (manager, proxy, worker), it now appears as though the sets containing IP
> addresses are updated after the TCP connection is initialized. As a
> result, our notice log is now growing with entries that should never have
> been raised in the first place, and is missing entries that should have
> been raised.
> Does this theory make sense? Is there a way to speed up set
> additions/removals, or otherwise force synchronization whenever a
> modification is made, before processing any further traffic?
> Alternatively, does the Bro scripting language have any concept of a
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro