[Bro] missing p$descr in cluster configuration

Sławek Rozbicki slawek at rozbicki.eu
Mon Jul 4 02:26:28 PDT 2016


Hi,
I'm using Bro 2.4.1 in cluster mode with 10 workers spread around 2 worker
machines + proxy and manager node. Everything seems to work fine except
intel framework (especially criticalstack client intelligence feed). There
is error in Reporter.log that might correspond this issue:

Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
/opt/bro/share/bro/base/frameworks/intel/./cluster.bro

thats because when 'event remote_connection_handshake_done(p: event_peer)'
is triggered, event_peer lacks most of fields, in my case 'p' looks like
this:

[id=10012, host=10.151.0.20, p=45783/tcp, is_local=F, descr=, class=control]

and I have no clue what is this peer (maybe a CONTROL type?)

That error is triggered every time I execute 'broctl status'.

Intel framework is loaded:

# broctl scripts | grep intel
    /opt/bro/share/bro/base/frameworks/intel/__load__.bro
      /opt/bro/share/bro/base/frameworks/intel/main.bro
      /opt/bro/share/bro/base/frameworks/intel/cluster.bro
        /opt/bro/share/bro/base/frameworks/intel/input.bro
...

# broctl print Intel::read_files manager
     manager   Intel::read_files = {
/opt/critical-stack/frameworks/intel/master-public.bro.dat
}

# head /opt/critical-stack/frameworks/intel/master-public.bro.dat
#fields indicator indicator_type meta.source meta.do_notice
unionsystems.com Intel::DOMAIN from
http://mirror1.malwaredomains.com/files/domains.txt,phishing via
intel.criticalstack.com F
bmwclubavto.ru/p/p/Conflict/Resolution/www/PP-009-176-639-801/7mXF56vGr5onWk5syWMn2wU/ISCNjQqH5WKey51F/
Intel::URL from http://www.phishtank.com/phish_detail.php?phish_id=4112321
via intel.criticalstack.com F

and feed format seems to be alright. Yet I have the second issue:

0.000000 Reporter::ERROR
/opt/critical-stack/frameworks/intel/master-public.bro.dat/Input::READER_ASCII:
could not read first line (empty)

which is also strange.

This results in no intel.log even though there is my query logged in
dns.log, and host value present in intel feed.

Is this bro bug or my deployment misconfiguration? What would be the best
way to debug this issue?

-- 
BR
Sławomir Rozbicki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160704/a3cc8e2d/attachment.html 


More information about the Bro mailing list