Intelligence framework not work in bro cluster

Zeek
1

I want to use the framework of intelligence to detect malicious IP and Domain.
There is the bro’s script:

@load frameworks/intel/seen
@load frameworks/intel/do_notice

export {

redef Intel::read_files += {
fmt("%s/../data/block_list_domain.intel", @DIR),
fmt("%s/../data/block_list_ip.intel", @DIR),
};
}

And there are some intelligence data:

#fields indicator indicator_type meta.source
113.23.72.15 Intel::ADDR testip
189.174.159.120 Intel::ADDR testip
27.159.231.181 Intel::ADDR testip
119.254.102.90 Intel::ADDR testip

#fields indicator indicator_type meta.source
nudmmflaurbthpw.www.w88top.com Intel::DOMAIN testdomain
a.ns.igcdn.com Intel::DOMAIN testdomain
bttracker.crunchbanglinux.org Intel::DOMAIN testdomain
mail.yinpiao.com Intel::DOMAIN testdomain

And I set do_notice to T in do_notice.bro.
It work fine in standalone type.
But there are not any data in notice.log or intel.log if I use the bro’s cluster.
And there is my node.cfg:

[manager]
type=manager
host=localhost

[proxy]
type=proxy
host=localhost

[worker]
type=worker
host=localhost
interface=em4
lb_method=pf_ring
lb_procs=8
pin_cpus=0,2,4,6,8,10,12,14

As you can see, all of the manager and the proxy and the workers are in one computer.
I have read the document about intelligence framework and the document said:“Remember, the files only need to be present on the file system of the manager node on cluster deployments.”
So I modify my bro script as follow:

@load frameworks/intel/seen
@load frameworks/intel/do_notice

export {

@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )

redef Intel::read_files += {
fmt("%s/…/data/block_list_domain.intel", @DIR),
fmt("%s/…/data/block_list_ip.intel", @DIR),
};
@endif

}

But it also can not work and have not notice.log or intel.log.

Could any one help me. Thanks very much.

2

I want to use the framework of intelligence to detect malicious IP and Domain.
There is the bro's script:

@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {
    redef Intel::read_files += {
        fmt("%s/../data/block_list_domain.intel", @DIR),
        fmt("%s/../data/block_list_ip.intel", @DIR),
    };
}

And there are some intelligence data:
#fields indicator indicator_type meta.source
113.23.72.15 Intel::ADDR testip
189.174.159.120 Intel::ADDR testip
27.159.231.181 Intel::ADDR testip
119.254.102.90 Intel::ADDR testip

#fields indicator indicator_type meta.source
nudmmflaurbthpw.www.w88top.com Intel::DOMAIN testdomain
a.ns.igcdn.com Intel::DOMAIN testdomain
bttracker.crunchbanglinux.org Intel::DOMAIN testdomain
mail.yinpiao.com Intel::DOMAIN testdomain

And I set `do_notice` to `T` in `do_notice.bro`.
It work fine in standalone type.

Great, that all looks good... though you shouldn't modify do_notice.bro directly.

But there are not any data in notice.log or intel.log if I use the bro's cluster.
And there is my node.cfg:
[manager]
type=manager
host=localhost

[proxy]
type=proxy
host=localhost

[worker]
type=worker
host=localhost
interface=em4
lb_method=pf_ring
lb_procs=8
pin_cpus=0,2,4,6,8,10,12,14

Unrelated to your problem, but you may want to double check those cpu ids. On most systems the 'real' cores are the first ones, followed by the hyperthreading ones, so,

pin_cpus=0,1,2,3,4,5,6,7

is the optimal setting

As you can see, all of the manager and the proxy and the workers are in one computer.
I have read the document about intelligence framework and the document said:"Remember, the files only need to be present on the file system of the manager node on cluster deployments."
So I modify my bro script as follow:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {

@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
    redef Intel::read_files += {
        fmt("%s/../data/block_list_domain.intel", @DIR),
        fmt("%s/../data/block_list_ip.intel", @DIR),
    };
@endif

}

This isn't required, what you had should have worked in cluster mode too.

But it also can not work and have not notice.log or intel.log.

Could any one help me. Thanks very much.

Ok, the first thing to do would be to see if cluster mode was working at all. In cluster mode, did you have a conn.log and a dns.log ? If you have no logs when running in cluster mode then you have a more general problem.

If everything is working the way it should be, check the loaded_scripts.log to ensure that your custom script is being loaded (it probably is since things were working in standalone mode)

Then, check stderr.log and reporter.log - especially a minute or so after startup. If there are any problems with your intel configuration, errors will be logged there.