[Bro] missing p$descr in cluster configuration

Sławek Rozbicki slawek at rozbicki.eu
Mon Jul 4 04:16:07 PDT 2016


SOLVED - it turned out Intel::match events were not generated on workers
because no 'policy/frameworks/intel/seen' script was loaded. Still lack of
Intel::p$descr in remote_connection_handshake_done event is a mystery to me
(possibly a bro bug).

2016-07-04 11:26 GMT+02:00 Sławek Rozbicki <slawek at rozbicki.eu>:

> Hi,
> I'm using Bro 2.4.1 in cluster mode with 10 workers spread around 2 worker
> machines + proxy and manager node. Everything seems to work fine except
> intel framework (especially criticalstack client intelligence feed). There
> is error in Reporter.log that might correspond this issue:
>
> Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
> /opt/bro/share/bro/base/frameworks/intel/./cluster.bro
>
> thats because when 'event remote_connection_handshake_done(p: event_peer)'
> is triggered, event_peer lacks most of fields, in my case 'p' looks like
> this:
>
> [id=10012, host=10.151.0.20, p=45783/tcp, is_local=F, descr=,
> class=control]
>
> and I have no clue what is this peer (maybe a CONTROL type?)
>
> That error is triggered every time I execute 'broctl status'.
>
> Intel framework is loaded:
>
> # broctl scripts | grep intel
>     /opt/bro/share/bro/base/frameworks/intel/__load__.bro
>       /opt/bro/share/bro/base/frameworks/intel/main.bro
>       /opt/bro/share/bro/base/frameworks/intel/cluster.bro
>         /opt/bro/share/bro/base/frameworks/intel/input.bro
> ...
>
> # broctl print Intel::read_files manager
>      manager   Intel::read_files = {
> /opt/critical-stack/frameworks/intel/master-public.bro.dat
> }
>
> # head /opt/critical-stack/frameworks/intel/master-public.bro.dat
> #fields indicator indicator_type meta.source meta.do_notice
> unionsystems.com Intel::DOMAIN from
> http://mirror1.malwaredomains.com/files/domains.txt,phishing via
> intel.criticalstack.com F
>
> bmwclubavto.ru/p/p/Conflict/Resolution/www/PP-009-176-639-801/7mXF56vGr5onWk5syWMn2wU/ISCNjQqH5WKey51F/
> Intel::URL from http://www.phishtank.com/phish_detail.php?phish_id=4112321
> via intel.criticalstack.com F
>
> and feed format seems to be alright. Yet I have the second issue:
>
> 0.000000 Reporter::ERROR /opt/critical-stack/frameworks/intel/master-public.bro.dat/Input::READER_ASCII:
> could not read first line (empty)
>
> which is also strange.
>
> This results in no intel.log even though there is my query logged in
> dns.log, and host value present in intel feed.
>
> Is this bro bug or my deployment misconfiguration? What would be the best
> way to debug this issue?
>
> --
> BR
> Sławomir Rozbicki
>



-- 
Pozdrawiam
Sławomir Rozbicki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160704/f63ea684/attachment.html 


More information about the Bro mailing list