[Bro] Worker Identification
Matt Clemons
matt.clemons at gmail.com
Fri Nov 21 10:49:13 PST 2014
Works like a charm. Thanks John.
-Matt
On Fri, Nov 21, 2014 at 11:33 AM, Donaldson, John <donaldson8 at llnl.gov>
wrote:
> Matt,
>
>
>
> We use something like the below to add worker names to our connection logs
>
>
>
>
>
> redef record Conn::Info += {
>
> peer_descr: string &default="unknown" &log;
>
> };
>
>
>
> event connection_state_remove(c: connection){
>
> c$conn$peer_descr = peer_description;
>
> }
>
>
>
>
>
> John Donaldson
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Matt
> Clemons
> *Sent:* Friday, November 21, 2014 9:06 AM
> *To:* bro at bro.org
> *Subject:* [Bro] Worker Identification
>
>
>
> Lo All,
>
> Is there a way to extend Bro to add a "worker" field in the files.log?
> I'd like to know where the packets are being processed.
>
> I'm doing file carving and the carved files are stored locally to each
> respective worker. Finding the interface the files crossed is pretty
> difficult in a large network.
>
>
> Also, it would be nice to extend other logs to see what traffic is
> crossing what workers in order to map the network.
>
>
> Maybe this is already possible, but i couldn't find much, and I'm pretty
> new at brogramming.
>
>
> --
>
> Regards,
>
> Matt Clemons
>
--
Regards,
Matt Clemons
(816) 200-0789
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141121/7ca5b40f/attachment.html
More information about the Bro
mailing list