diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 011885e8b7..40e9d323b9 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,3 +1,8 @@ @load ./utils @load ./main @load ./netstats + +@load base/frameworks/cluster +@if ( Cluster::is_enabled() ) +@load ./cluster +@endif diff --git a/scripts/base/frameworks/packet-filter/cluster.bro b/scripts/base/frameworks/packet-filter/cluster.bro new file mode 100644 index 0000000000..34f0600d18 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/cluster.bro @@ -0,0 +1,14 @@ + +module PacketFilter; + +event remote_connection_handshake_done(p: event_peer) &priority=3 + { + if ( Cluster::local_node_type() == Cluster::WORKER && + p$descr in Cluster::nodes && + Cluster::nodes[p$descr]$node_type == Cluster::MANAGER ) + { + # This ensures that a packet filter is installed and logged + # after the manager connects to us. + install(); + } + } diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 4a6e9c43b5..8b1739acb4 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -294,6 +294,7 @@ function install(): bool # Do an audit log for the packet filter. local info: Info; info$ts = network_time(); + info$node = peer_description; # If network_time() is 0.0 we're at init time so use the wall clock. if ( info$ts == 0.0 ) { diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 1342aa5869..768e6762f3 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,28 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2013-08-12-18-24-49 +#open 2013-10-24-18-53-49 #fields ts node filter init success #types time string string bool bool -1376331889.617206 - ip or not ip T T -#close 2013-08-12-18-24-49 +1382640829.338079 bro ip or not ip T T +#close 2013-10-24-18-53-49 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-08-12-18-24-49 +#open 2013-10-24-18-53-49 #fields ts node filter init success #types time string string bool bool -1376331889.904944 - port 42 T T -#close 2013-08-12-18-24-49 +1382640829.495639 bro port 42 T T +#close 2013-10-24-18-53-49 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-08-12-18-24-50 +#open 2013-10-24-18-53-49 #fields ts node filter init success #types time string string bool bool -1376331890.192875 - (vlan) and (ip or not ip) T T -#close 2013-08-12-18-24-50 +1382640829.653368 bro (vlan) and (ip or not ip) T T +#close 2013-10-24-18-53-49