[Bro] Intelligence framework not work in bro cluster

李金苗 beikejinmiao at gmail.com
Wed Jun 1 19:16:21 PDT 2016


I want to use the framework of intelligence to detect malicious IP and
Domain.
There is the bro's script:
```
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {
    redef Intel::read_files += {
        fmt("%s/../data/block_list_domain.intel", @DIR),
        fmt("%s/../data/block_list_ip.intel", @DIR),
    };
}
```
And there are some intelligence data:
#fields indicator   indicator_type  meta.source
113.23.72.15    Intel::ADDR testip
189.174.159.120 Intel::ADDR testip
27.159.231.181  Intel::ADDR testip
119.254.102.90  Intel::ADDR testip

#fields indicator   indicator_type  meta.source
nudmmflaurbthpw.www.w88top.com  Intel::DOMAIN   testdomain
a.ns.igcdn.com  Intel::DOMAIN   testdomain
bttracker.crunchbanglinux.org   Intel::DOMAIN   testdomain
mail.yinpiao.com    Intel::DOMAIN   testdomain

And I set `do_notice` to `T` in `do_notice.bro`.
It work fine in standalone type.
But there are not any data in notice.log or intel.log if I use the bro's
cluster.
And there is my node.cfg:
[manager]
type=manager
host=localhost

[proxy]
type=proxy
host=localhost

[worker]
type=worker
host=localhost
interface=em4
lb_method=pf_ring
lb_procs=8
pin_cpus=0,2,4,6,8,10,12,14

As you can see, all of the manager and the proxy and the workers are in one
computer.
I have read the document
<https://www.bro.org/sphinx/frameworks/intel.html>about
intelligence framework and the document said:"*Remember, the files only
need to be present on the file system of the manager node on cluster
deployments*."
So I modify my bro script as follow:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {

@if ( Cluster::is_enabled() && Cluster::local_node_type() ==
Cluster::MANAGER )
    redef Intel::read_files += {
        fmt("%s/../data/block_list_domain.intel", @DIR),
        fmt("%s/../data/block_list_ip.intel", @DIR),
    };
@endif

}

But it also can not work and have not notice.log or intel.log.

Could any one help me. Thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160602/68511055/attachment.html 


More information about the Bro mailing list