Worker Identification

Matt_Clemons · November 21, 2014, 5:06pm

Lo All,

Is there a way to extend Bro to add a “worker” field in the files.log? I’d like to know where the packets are being processed.

I’m doing file carving and the carved files are stored locally to each respective worker. Finding the interface the files crossed is pretty difficult in a large network.

Also, it would be nice to extend other logs to see what traffic is crossing what workers in order to map the network.

Maybe this is already possible, but i couldn’t find much, and I’m pretty new at brogramming.

Donaldson_John · November 21, 2014, 5:33pm

Matt,

We use something like the below to add worker names to our connection logs

redef record Conn::Info += {

peer_descr: string &default=“unknown” &log;

};

event connection_state_remove(c: connection){

c$conn$peer_descr = peer_description;

}

John Donaldson

Matt_Clemons · November 21, 2014, 6:49pm

Works like a charm. Thanks John.

-Matt

Topic		Replies	Views
Log Source Zeek	1	80	May 6, 2022
Finding out which worker is seeing connections Zeek	1	61	May 6, 2022
Can Bro Worker read packet capture files Zeek	1	82	May 6, 2022
Bro Digest, Vol 152, Issue 15 Zeek	1	67	May 6, 2022
logging locally and to remote logger Zeek	4	84	May 6, 2022

Worker Identification

Related topics