Hi,
I’m using Bro 2.4.1 in cluster mode with 10 workers spread around 2 worker machines + proxy and manager node. Everything seems to work fine except intel framework (especially criticalstack client intelligence feed). There is error in Reporter.log that might correspond this issue:
Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr]) /opt/bro/share/bro/base/frameworks/intel/./cluster.bro
thats because when ‘event remote_connection_handshake_done(p: event_peer)’ is triggered, event_peer lacks most of fields, in my case ‘p’ looks like this:
[id=10012, host=10.151.0.20, p=45783/tcp, is_local=F, descr=, class=control]
and I have no clue what is this peer (maybe a CONTROL type?)
That error is triggered every time I execute ‘broctl status’.
Intel framework is loaded:
broctl scripts | grep intel
/opt/bro/share/bro/base/frameworks/intel/load.bro
/opt/bro/share/bro/base/frameworks/intel/main.bro
/opt/bro/share/bro/base/frameworks/intel/cluster.bro
/opt/bro/share/bro/base/frameworks/intel/input.bro
…
broctl print Intel::read_files manager
manager Intel::read_files = {
/opt/critical-stack/frameworks/intel/master-public.bro.dat
}
head /opt/critical-stack/frameworks/intel/master-public.bro.dat
#fields indicator indicator_type meta.source meta.do_notice
unionsystems.com Intel::DOMAIN from http://mirror1.malwaredomains.com/files/domains.txt,phishing via intel.criticalstack.com F
bmwclubavto.ru/p/p/Conflict/Resolution/www/PP-009-176-639-801/7mXF56vGr5onWk5syWMn2wU/ISCNjQqH5WKey51F/ Intel::URL from http://www.phishtank.com/phish_detail.php?phish_id=4112321 via intel.criticalstack.com F
and feed format seems to be alright. Yet I have the second issue:
0.000000 Reporter::ERROR /opt/critical-stack/frameworks/intel/master-public.bro.dat/Input::READER_ASCII: could not read first line (empty)
which is also strange.
This results in no intel.log even though there is my query logged in dns.log, and host value present in intel feed.
Is this bro bug or my deployment misconfiguration? What would be the best way to debug this issue?