[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    [Bro] Finding out which worker is seeing connections
From:       Seth Hall <seth () icir ! org>
Date:       2011-11-14 21:50:23
Message-ID: 4DDA412D-162B-449F-AB40-82B438CDB216 () icir ! org
[Download RAW message or body]

I got a question today about how to figure out which worker is seeing connections in \
a large cluster so I whipped up some code quickly to help find out.  I'm including it \
here because I think it may help others too.

====begin=====
redef record Conn::Info += {
   peer: string &log &optional;
};

event connection_state_remove(c: connection)
   {
   if ( c?$conn )
       c$conn$peer = peer_description;
   }
====end=====

That will include a "peer" column in your conn.log that indicates which worker \
analyzed the connection.  You should probably include this code in a new file in your \
site/ directory and load the file in local.bro.  Since the file is in your site/ \
directory you won't need to add any directory prefixes and you can load the file \
directly.  If you place the file into <prefix>/share/bro/site/conn-peer-extension.bro \
you can load it in local.bro with "@load conn-peer-extension".

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


[prev in list] [next in list] [prev in thread] [next in thread]