[Bro] Cluster state synchronization

Damian Gerow damian.gerow at shopify.com
Mon Oct 6 10:58:32 PDT 2014


I'm having some troubles wrapping my head around synchronization of set
values in a cluster.

We use a relatively simple bro script that correlates sets of
whitelisted/blacklisted DNS names with new connections.  To accomplish
this, we have sets that are just the IP addresses returned by DNS lookups,
which we then use to check against new connections.

i.e. Host "foo.internal" looks up "blacklist.example.com", and receives
response "10.0.0.1".  Bro then adds IP address "10.0.0.1" to the set named
"blacklisted_ips".  "foo.internal" then proceeds to contact "10.0.0.1" on
TCP/443.  Bro looks up "10.0.0.1" in "blacklisted_ips" and, as there is a
match, raises a notice.

After migrating from a standalone to a single-node cluster configuration
(manager, proxy, worker), it now appears as though the sets containing IP
addresses are updated after the TCP connection is initialized.  As a
result, our notice log is now growing with entries that should never have
been raised in the first place, and is missing entries that should have
been raised.

Does this theory make sense?  Is there a way to speed up set
additions/removals, or otherwise force synchronization whenever a
modification is made, before processing any further traffic?
Alternatively, does the Bro scripting language have any concept of a
'sleep'?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141006/ce192263/attachment.html 


More information about the Bro mailing list