[Bro] Intelligence framework not work in bro cluster

Azoff, Justin S jazoff at illinois.edu
Thu Jun 2 06:26:51 PDT 2016 

> On Jun 1, 2016, at 10:16 PM, 李金苗 <beikejinmiao at gmail.com> wrote:
> 
> I want to use the framework of intelligence to detect malicious IP and Domain. 
> There is the bro's script:
> ```
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
> export {
>     redef Intel::read_files += {
>         fmt("%s/../data/block_list_domain.intel", @DIR),
>         fmt("%s/../data/block_list_ip.intel", @DIR),
>     };
> }
> ```
> And there are some intelligence data:
> #fields indicator   indicator_type  meta.source
> 113.23.72.15    Intel::ADDR testip
> 189.174.159.120 Intel::ADDR testip
> 27.159.231.181  Intel::ADDR testip
> 119.254.102.90  Intel::ADDR testip
> 
> #fields indicator   indicator_type  meta.source
> nudmmflaurbthpw.www.w88top.com  Intel::DOMAIN   testdomain
> a.ns.igcdn.com  Intel::DOMAIN   testdomain
> bttracker.crunchbanglinux.org   Intel::DOMAIN   testdomain
> mail.yinpiao.com    Intel::DOMAIN   testdomain
> 
> And I set `do_notice` to `T` in `do_notice.bro`.
> It work fine in standalone type. 

Great, that all looks good... though you shouldn't modify do_notice.bro directly.

> But there are not any data in notice.log or intel.log if I use the bro's cluster. 
> And there is my node.cfg:
> [manager]
> type=manager
> host=localhost
> 
> [proxy]
> type=proxy
> host=localhost
> 
> [worker]
> type=worker
> host=localhost
> interface=em4
> lb_method=pf_ring
> lb_procs=8
> pin_cpus=0,2,4,6,8,10,12,14

Unrelated to your problem, but you may want to double check those cpu ids.  On most systems the 'real' cores are the first ones, followed by the hyperthreading ones, so, 

pin_cpus=0,1,2,3,4,5,6,7

is the optimal setting

> As you can see, all of the manager and the proxy and the workers are in one computer.
> I have read the document about intelligence framework and the document said:"Remember, the files only need to be present on the file system of the manager node on cluster deployments."
> So I modify my bro script as follow:
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
> export {
> 
> @if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
>     redef Intel::read_files += {
>         fmt("%s/../data/block_list_domain.intel", @DIR),
>         fmt("%s/../data/block_list_ip.intel", @DIR),
>     };
> @endif
> 
> }

This isn't required, what you had should have worked in cluster mode too.

> But it also can not work and have not notice.log or intel.log.
> 
> Could any one help me. Thanks very much.
> 

Ok, the first thing to do would be to see if cluster mode was working at all.  In cluster mode, did you have a conn.log and a dns.log ?  If you have no logs when running in cluster mode then you have a more general problem.

If everything is working the way it should be, check the loaded_scripts.log to ensure that your custom script is being loaded (it probably is since things were working in standalone mode)

Then, check stderr.log and reporter.log - especially a minute or so after startup.  If there are any problems with your intel configuration, errors will be logged there.

-- 
- Justin Azoff

More information about the Bro mailing list