[Bro] Intelligence framework not work in bro cluster
李金苗
beikejinmiao at gmail.com
Wed Jun 1 19:16:21 PDT 2016
I want to use the framework of intelligence to detect malicious IP and
Domain.
There is the bro's script:
```
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {
redef Intel::read_files += {
fmt("%s/../data/block_list_domain.intel", @DIR),
fmt("%s/../data/block_list_ip.intel", @DIR),
};
}
```
And there are some intelligence data:
#fields indicator indicator_type meta.source
113.23.72.15 Intel::ADDR testip
189.174.159.120 Intel::ADDR testip
27.159.231.181 Intel::ADDR testip
119.254.102.90 Intel::ADDR testip
#fields indicator indicator_type meta.source
nudmmflaurbthpw.www.w88top.com Intel::DOMAIN testdomain
a.ns.igcdn.com Intel::DOMAIN testdomain
bttracker.crunchbanglinux.org Intel::DOMAIN testdomain
mail.yinpiao.com Intel::DOMAIN testdomain
And I set `do_notice` to `T` in `do_notice.bro`.
It work fine in standalone type.
But there are not any data in notice.log or intel.log if I use the bro's
cluster.
And there is my node.cfg:
[manager]
type=manager
host=localhost
[proxy]
type=proxy
host=localhost
[worker]
type=worker
host=localhost
interface=em4
lb_method=pf_ring
lb_procs=8
pin_cpus=0,2,4,6,8,10,12,14
As you can see, all of the manager and the proxy and the workers are in one
computer.
I have read the document
<https://www.bro.org/sphinx/frameworks/intel.html>about
intelligence framework and the document said:"*Remember, the files only
need to be present on the file system of the manager node on cluster
deployments*."
So I modify my bro script as follow:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {
@if ( Cluster::is_enabled() && Cluster::local_node_type() ==
Cluster::MANAGER )
redef Intel::read_files += {
fmt("%s/../data/block_list_domain.intel", @DIR),
fmt("%s/../data/block_list_ip.intel", @DIR),
};
@endif
}
But it also can not work and have not notice.log or intel.log.
Could any one help me. Thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160602/68511055/attachment.html
More information about the Bro
mailing list