[Zeek] Broker issue when in clustered mode

Andrew Klaus andrew at aklaus.ca
Fri Jun 12 10:31:07 PDT 2020


Hello,

I have a Zeek script that publishes a couple of different topics using
the Zeek Broker. I've tested this on Zeek 3.1.3. I followed the Python
bindings guide here:
https://docs.zeek.org/projects/broker/en/current/python.html and it
works so long as Zeek isn't in clustered mode. This is my zeek_init():

event zeek_init()
{
        if (SNIFFPASS::broker_enable)
        {
            Broker::listen("127.0.0.1", "9999");
            Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen);
            Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen_detailed);
        }
}


When I try running this in cluster mode on the same machine, it fails.
This is because the manager and workers attempt to listen on the same
IP and Port:

error in main.bro, line 160: Failed to listen on 127.0.0.1:9999
(Broker::listen(SNIFFPASS::broker_host, SNIFFPASS::broker_port,
Broker::default_listen_retry))
fatal error: errors occurred while initializing

I tried moving the Broker::listen to the manager only like this:

event zeek_init()
{
    if ( Cluster::is_enabled() && Cluster::local_node_type() ==
Cluster::MANAGER ) {
        Broker::listen(SNIFFPASS::broker_host, SNIFFPASS::broker_port);
    }

    Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen);
    Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen_detailed);
}

This now allows Zeek to now successfully start in clustered mode and
my Zeek script runs. My Python script connects to the manager on
localhost:9999 successfully, but doesn't receive any events from the
manager. This is the Python script I'm using for testing:

#!/bin/env python3

import broker
import sys

# Setup endpoint and connect to Zeek.
ep = broker.Endpoint()
sub = ep.make_subscriber("/sniffpass/credentials_seen")
ss = ep.make_status_subscriber(True);
ep.peer("127.0.0.1", 9999)

# Wait until connection is established.
st = ss.get()

if not (type(st) == broker.Status and st.code() == broker.SC.PeerAdded):
    print("could not connect")
    sys.exit(0)

while True:
    print("Connected!")
    (t, d) = sub.get()
    event = broker.zeek.Event(d)
    print("received {}{}".format(event.name(), event.args()))

I would assume it has to do with the Manager not relaying the messages
from the broker, but I can't quite figure out how to get this working.

My full Zeek script is up here:
https://github.com/cybera/zeek-sniffpass/blob/master/scripts/main.bro

Any insight into how to do this properly would be greatly appreciated.

Thanks in advance!


More information about the Zeek mailing list