Bro cluster questions, round 2

Unrelated to notification, I have a couple more bro clustering questions.

1) A couple more months from now, asymmetric routing is going to be a real
problem for us. My plan is to correlate possible_split_routing alerts to
identify those situations. Other than writing an external script to
process the logs on the manager node, can the manager do this within Bro?
Essentially it would have to process an event based on an event handed to
it from the worker nodes. I guess this is a more general question, can
the manager programmatically respond to things seen by various workers
that the workers themselves can't see as a whole?

2) It's probably too early to ask as we're just beginning to think about
this, but is it possible to distribute a Time Machine setup across all the
Bro workers?

-Dop

it from the worker nodes. I guess this is a more general question, can
the manager programmatically respond to things seen by various workers
that the workers themselves can't see as a whole?

Yes. As long as the individual pieces of information arrive at the
manager somehow, it can ran arbitrary further Bro script code on them
for correlation. Here, it could do so with the possible_split_routing
weird events (which by default are actually not forwarded to the
manager, but that can be changed). More generally, one can use
arbitrary events to send any information back and forth between
workers and manager.

2) It's probably too early to ask as we're just beginning to think about
this, but is it possible to distribute a Time Machine setup across all the
Bro workers?

Generally, yes. We haven't formalized that model yet, but I've been
wanting to do that for quite a while already. The basic setup is
pretty straight-forward, you just start one TM instance on every
worker. The interesting question is how to get packets out, and for
that, one could run a TM proxy process on the manager system which
receives queries for the TM (like from the command line client),
relays them to all the backend TMs, and then collects their replies
and forwards them to the original querier. Such a proxy should
actually be pretty simple to implement. And once broctl gets the
planned plugin API, it would be straight-forward to operate the "TM
cluster" from there.

Robin