From 8d283db63b6e433dbd3f4775447905a9f6b43326 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 23 Sep 2014 12:23:39 -0400 Subject: [PATCH] Adds a "node" field to Intel::Seen struture and intel.log. The intel framework can now indicate which node discovered a hit on an intel item through the new "node" field in the Intel::Seen data structure. On clusters, this field will contain the name of the node where the hit was seen. --- scripts/base/frameworks/intel/main.bro | 8 ++++++++ .../manager-1.intel.log | 10 +++++----- .../broproc.intel.log | 12 ++++++------ .../manager-1.intel.log | 16 ++++++++-------- 4 files changed, 27 insertions(+), 19 deletions(-) diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index fb3a9a3613..5b31dd964e 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -81,6 +81,9 @@ export { ## Where the data was discovered. where: Where &log; + ## The name of the node where the match was discovered. + node: string &optional &log; + ## If the data was discovered within a connection, the ## connection record should go here to give context to the data. conn: connection &optional; @@ -240,6 +243,11 @@ function Intel::seen(s: Seen) s$indicator_type = Intel::ADDR; } + if ( ! s?$node ) + { + s$node = peer_description; + } + if ( have_full_data ) { local items = get_items(s); diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log index cd314ab408..ba19f4e8d7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path intel -#open 2014-04-01-23-13-48 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources -#types time string addr port addr port string string string string enum enum set[string] -1396394028.821227 - - - - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-1 -#close 2014-04-01-23-13-58 +#open 2014-09-23-16-13-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources +#types time string addr port addr port string string string string enum enum string set[string] +1411488819.555114 - - - - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-2 worker-1 +#close 2014-09-23-16-13-49 diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log index c1c81a662b..33c97c0c1e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path intel -#open 2014-04-01-23-14-04 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources -#types time string addr port addr port string string string string enum enum set[string] -1396394044.377145 - - - - - - - - e@mail.com Intel::EMAIL SOMEWHERE source1 -1396394044.377145 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE source1 -#close 2014-04-01-23-14-04 +#open 2014-09-23-16-14-49 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources +#types time string addr port addr port string string string string enum enum string set[string] +1411488889.571819 - - - - - - - - e@mail.com Intel::EMAIL SOMEWHERE bro source1 +1411488889.571819 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro source1 +#close 2014-09-23-16-14-49 diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log index f7d62eb737..d8e2d43674 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path intel -#open 2014-04-01-23-14-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources -#types time string addr port addr port string string string string enum enum set[string] -1396394052.512481 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST source1 -1396394052.512481 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST source1 -1396394053.554897 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST source1 -1396394053.554897 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST source1 -#close 2014-04-01-23-14-21 +#open 2014-09-23-16-15-00 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources +#types time string addr port addr port string string string string enum enum string set[string] +1411488900.900403 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST worker-1 source1 +1411488900.900403 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST worker-1 source1 +1411488901.923543 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST worker-2 source1 +1411488901.923543 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST worker-2 source1 +#close 2014-09-23-16-15-09