[Bro] Cluster state synchronization

Seth Hall seth at icir.org
Wed Oct 8 07:19:52 PDT 2014

On Oct 8, 2014, at 9:25 AM, Damian Gerow <damian.gerow at shopify.com> wrote:

> On Tue, Oct 7, 2014 at 12:51 PM, Seth Hall <seth at icir.org> wrote:
> Is this a script that you wrote locally or are you using the Broala script? 
>         https://github.com/broala/bro-snippets/blob/master/intel-dns.bro
>         (this script works like it sounds like your does, but it uses data you have fed into the intel framework)
> It's a script that I inherited, originally written locally (I believe).  It is quite similar to the Broala script, but we're not using the intel framework.
> If you're curious about your script though, post is somewhere and someone can take a look. :)
> A shortened version of the script I'm using for testing is at https://gist.github.com/mutemule/a36f49b16db51eccd159.  If I move the 'add' commands into their own functions, and then prioritize the 'add_' over the 'is_' functions, would that be a reasonable way to ensure my sets are updated before being used for lookups?  I'm already planning to migrate some of our stuff over to Intel, but I'm not quite there yet.

Oh, nice.  I like the idea behind that script.  I think I understand the rationale behind it too.

I made some updates to your script (also attached to the email)...

I don't see any reason why this script wouldn't work (on single workers, it won't work well on a cluster).  You'll need to add your own list of authorized fqdns (probably in local.bro after you load this script), like this...

@load connection_validation
redef ConnectionValidation::authorized_fqdns += {

If you try it, let me know how it works for you!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: connection_validation.bro
Type: application/octet-stream
Size: 2294 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141008/32538449/attachment.obj 
-------------- next part --------------


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list