[Bro] peer_description in intel framework

Seth Hall seth at icir.org
Tue Sep 23 08:48:23 PDT 2014


On Sep 23, 2014, at 10:59 AM, Richmond, Ian (GE Corporate) <ian.richmond at ge.com> wrote:

> I’ve noticed in my scripting attempts that I can’t seem to identify the worker that matched an item from the intel framework.
> This works for instance when trying to get the peer_description into the conn log like this ( after a redef ):

Arg!  Total design oversight on my part!  

> event Intel::match(s: Intel::Seen, items: set[Intel::Item]) {
> if (s?$conn)
>  s$worker_name = peer_description;
> }

This makes sense because the Intel::match event is actually generated on the manager in clusters right now.  It's even documented. :)

	https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#id-Intel::match

> Is there a way to script around this and deliver the peer_description to the intel notice? Am I doing something wrong?

It would be easy to add that into the intel framework.  I'll do a commit now that adds it (but it will only be in the master branch of our git repository for now).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list