[Bro] Finding out which worker is seeing connections
Seth Hall
seth at icir.org
Mon Nov 14 13:50:23 PST 2011
I got a question today about how to figure out which worker is seeing connections in a large cluster so I whipped up some code quickly to help find out. I'm including it here because I think it may help others too.
====begin=====
redef record Conn::Info += {
peer: string &log &optional;
};
event connection_state_remove(c: connection)
{
if ( c?$conn )
c$conn$peer = peer_description;
}
====end=====
That will include a "peer" column in your conn.log that indicates which worker analyzed the connection. You should probably include this code in a new file in your site/ directory and load the file in local.bro. Since the file is in your site/ directory you won't need to add any directory prefixes and you can load the file directly. If you place the file into <prefix>/share/bro/site/conn-peer-extension.bro you can load it in local.bro with "@load conn-peer-extension".
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list