[Bro] bro cluster notification options

[Robin Sommer]

On Fri, Feb 04, 2011 at 11:00 -0600, you wrote:

> directly, but there's also the issue of email alerts.  Is there an
> option to specify a different mail_dest for a given worker node?

The direct answer to that question is, no, there's not right now, but
it wouldn't be hard to add.

However, there's a more general question here how to support such
setups, as there are a number of things involved it seems. For
example, what about alarms that cross the "worker boundary", like
scans? Do you want them to go to the external entity? Perhaps only if
one of their IPs gets scanned (which would be tricky though).
Generally speaking, for all things not directly done on a single
worker, but either correlated across workers (like scans), or derived
on the manager (like notice policy), things could get a bit murky.

Depending on the specifics of what you're monitoring, I can see
another way of doing this: running the one worker independently of the
others (i.e., no shared proxy with the others), and adding a second
"slave manager". That guy would be receiving just stuff from this
special worker, and could be configured with its own mail_dest, notice
policy etc; it would also do its own logging, so you don't need to
enable that locally on the worker. At the same time, the "normal"
manager would just keep running as usual, being connected to that
worker as well, and handle all the configuration (as well as also
receive the logs).

Generalizign this furher, we're getting to something Seth has been
thinking about quite a bit already: a "deep cluster" where broctl sets
up a hierarchy of worker/proxies/managers for monitoring different
sub-parts of an organisation's network, all controlled for a central
location. 

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org