[Zeek] Broker issue when in clustered mode
Andrew Klaus
andrew at aklaus.ca
Fri Jun 12 10:31:07 PDT 2020
Hello,
I have a Zeek script that publishes a couple of different topics using
the Zeek Broker. I've tested this on Zeek 3.1.3. I followed the Python
bindings guide here:
https://docs.zeek.org/projects/broker/en/current/python.html and it
works so long as Zeek isn't in clustered mode. This is my zeek_init():
event zeek_init()
{
if (SNIFFPASS::broker_enable)
{
Broker::listen("127.0.0.1", "9999");
Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen);
Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen_detailed);
}
}
When I try running this in cluster mode on the same machine, it fails.
This is because the manager and workers attempt to listen on the same
IP and Port:
error in main.bro, line 160: Failed to listen on 127.0.0.1:9999
(Broker::listen(SNIFFPASS::broker_host, SNIFFPASS::broker_port,
Broker::default_listen_retry))
fatal error: errors occurred while initializing
I tried moving the Broker::listen to the manager only like this:
event zeek_init()
{
if ( Cluster::is_enabled() && Cluster::local_node_type() ==
Cluster::MANAGER ) {
Broker::listen(SNIFFPASS::broker_host, SNIFFPASS::broker_port);
}
Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen);
Broker::auto_publish("/sniffpass/credentials_seen",
SNIFFPASS::credentials_seen_detailed);
}
This now allows Zeek to now successfully start in clustered mode and
my Zeek script runs. My Python script connects to the manager on
localhost:9999 successfully, but doesn't receive any events from the
manager. This is the Python script I'm using for testing:
#!/bin/env python3
import broker
import sys
# Setup endpoint and connect to Zeek.
ep = broker.Endpoint()
sub = ep.make_subscriber("/sniffpass/credentials_seen")
ss = ep.make_status_subscriber(True);
ep.peer("127.0.0.1", 9999)
# Wait until connection is established.
st = ss.get()
if not (type(st) == broker.Status and st.code() == broker.SC.PeerAdded):
print("could not connect")
sys.exit(0)
while True:
print("Connected!")
(t, d) = sub.get()
event = broker.zeek.Event(d)
print("received {}{}".format(event.name(), event.args()))
I would assume it has to do with the Manager not relaying the messages
from the broker, but I can't quite figure out how to get this working.
My full Zeek script is up here:
https://github.com/cybera/zeek-sniffpass/blob/master/scripts/main.bro
Any insight into how to do this properly would be greatly appreciated.
Thanks in advance!
More information about the Zeek
mailing list