[Bro] Bro cluster questions, round 2

[Robin Sommer]

On Fri, Feb 04, 2011 at 11:02 -0600, you wrote:

> it from the worker nodes.  I guess this is a more general question, can
> the manager programmatically respond to things seen by various workers
> that the workers themselves can't see as a whole?

Yes. As long as the individual pieces of information arrive at the
manager somehow, it can ran arbitrary further Bro script code on them
for correlation. Here, it could do so with the possible_split_routing
weird events (which by default are actually not forwarded to the
manager, but that can be changed). More generally, one can use
arbitrary events to send any information back and forth between
workers and manager. 

> 2) It's probably too early to ask as we're just beginning to think about
> this, but is it possible to distribute a Time Machine setup across all the
> Bro workers?

Generally, yes. We haven't formalized that model yet, but I've been
wanting to do that for quite a while already. The basic setup is
pretty straight-forward, you just start one TM instance on every
worker. The interesting question is how to get packets out, and for
that, one could run a TM proxy process on the manager system which
receives queries for the TM (like from the command line client),
relays them to all the backend TMs, and then collects their replies
and forwards them to the original querier. Such a proxy should
actually be pretty simple to implement. And once broctl gets the
planned plugin API, it would be straight-forward to operate the "TM
cluster" from there.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org