[Bro] peer_description in intel framework

Richmond, Ian (GE Corporate) ian.richmond at ge.com
Tue Sep 23 07:59:48 PDT 2014


Morning Bro List,
I’ve noticed in my scripting attempts that I can’t seem to identify the worker that matched an item from the intel framework.
This works for instance when trying to get the peer_description into the conn log like this ( after a redef ):

event connection_state_remove(c: connection) {
if (c?$conn)
  c$conn$worker_name = peer_description;
}


But if the same thing is tried with the Intel framework:

event Intel::match(s: Intel::Seen, items: set[Intel::Item]) {
if (s?$conn)
  s$worker_name = peer_description;
}

The worker_name remains “manager”.

Are intel framework hits processed from worker to manager in a way that loses the peer_description tied to the intel hit?
Is there a way to script around this and deliver the peer_description to the intel notice? Am I doing something wrong?

Thanks.

Ian Richmond





More information about the Bro mailing list