I'd like to know if there is a way to select which script a worker is loading.
The goal is to limit the packets that needs to be analyzed.
On a dedicated interface I've mirrored traffic going to one of our server which has, along other protocols, tones of dns and nfs traffic, I'm only interested in dns traffic.
Nfs can be bandwidth consuming (up to 600mbps with capstats) so I'd like Bro to only analyses dns packets.
Can we tell Bro to only load dns inspector for a given interface/worker ?
I've also think of firewalling everything except udp/53 but i would have to give network interface an ip address....
You could apply a BPF in Bro.
The packets will still hit the interface, but Bro will only monitor the packets based on the BPF.
broctl starts each worker with an option that tells each worker to use its own name as a script prefix. If you look at the running bro command you should see something like
/usr/local/bro/bin/bro -i p1p1 -U .status -p broctl -p broctl-live -p local -p worker-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto
where 'worker-1' is the name of the worker.
This means that if you create a script called worker-1.local.bro, it will be loaded for that worker only
Thanks Justin, looks like exactly what I want.