[Bro] peer_description in intel framework
Richmond, Ian (GE Corporate)
ian.richmond at ge.com
Tue Sep 23 07:59:48 PDT 2014
Morning Bro List,
I’ve noticed in my scripting attempts that I can’t seem to identify the worker that matched an item from the intel framework.
This works for instance when trying to get the peer_description into the conn log like this ( after a redef ):
event connection_state_remove(c: connection) {
if (c?$conn)
c$conn$worker_name = peer_description;
}
But if the same thing is tried with the Intel framework:
event Intel::match(s: Intel::Seen, items: set[Intel::Item]) {
if (s?$conn)
s$worker_name = peer_description;
}
The worker_name remains “manager”.
Are intel framework hits processed from worker to manager in a way that loses the peer_description tied to the intel hit?
Is there a way to script around this and deliver the peer_description to the intel notice? Am I doing something wrong?
Thanks.
Ian Richmond
More information about the Bro
mailing list