mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
fa88646eec
a broctl print triggers this error
Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
/usr/local/bro/share/bro/base/frameworks/intel/./cluster.bro, line 39
when broctl connects p$descr is empty. It should probably be set to
'control' somewhere inside broctl, but that would only fix broctl, not
other clients.
diff --git a/aux/bro-aux b/aux/bro-aux
index 02f710a43..43f4b90bb 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 02f710a436dfe285bae0d48d7f7bc498783e11a8
+Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
diff --git a/aux/broctl b/aux/broctl
index e960be2c1..d3e6cdfba 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc
+Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723
diff --git a/aux/btest b/aux/btest
index 2810ccee2..e638fc65a 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a
+Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a
diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 820a5497a..e75bdd057 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -32,7 +32,7 @@ event remote_connection_handshake_done(p: event_peer)
{
# When a worker connects, send it the complete minimal data store.
# It will be kept up to date after this by the cluster_new_item event.
- if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
+ if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
{
send_id(p, "Intel::min_data_store");
}
74 lines
2.3 KiB
Text
74 lines
2.3 KiB
Text
##! Cluster transparency support for the intelligence framework. This is mostly
|
|
##! oriented toward distributing intelligence information across clusters.
|
|
|
|
@load ./main
|
|
@load base/frameworks/cluster
|
|
|
|
module Intel;
|
|
|
|
redef record Item += {
|
|
## This field is used internally for cluster transparency to avoid
|
|
## re-dispatching intelligence items over and over from workers.
|
|
first_dispatch: bool &default=T;
|
|
};
|
|
|
|
# If this process is not a manager process, we don't want the full metadata.
|
|
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
|
redef have_full_data = F;
|
|
@endif
|
|
|
|
# Internal event for cluster data distribution.
|
|
global cluster_new_item: event(item: Item);
|
|
|
|
# Primary intelligence management is done by the manager.
|
|
# The manager informs the workers about new items and item removal.
|
|
redef Cluster::manager2worker_events += /^Intel::(cluster_new_item|purge_item)$/;
|
|
# A worker queries the manager to insert, remove or indicate the match of an item.
|
|
redef Cluster::worker2manager_events += /^Intel::(cluster_new_item|remove_item|match_no_items)$/;
|
|
|
|
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
|
# Handling of new worker nodes.
|
|
event remote_connection_handshake_done(p: event_peer)
|
|
{
|
|
# When a worker connects, send it the complete minimal data store.
|
|
# It will be kept up to date after this by the cluster_new_item event.
|
|
if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
|
|
{
|
|
send_id(p, "Intel::min_data_store");
|
|
}
|
|
}
|
|
|
|
# Handling of matches triggered by worker nodes.
|
|
event Intel::match_no_items(s: Seen) &priority=5
|
|
{
|
|
if ( Intel::find(s) )
|
|
event Intel::match(s, Intel::get_items(s));
|
|
}
|
|
|
|
# Handling of item removal triggered by worker nodes.
|
|
event Intel::remove_item(item: Item, purge_indicator: bool)
|
|
{
|
|
remove(item, purge_indicator);
|
|
}
|
|
@endif
|
|
|
|
# Handling of item insertion.
|
|
event Intel::new_item(item: Intel::Item) &priority=5
|
|
{
|
|
# The cluster manager always rebroadcasts intelligence.
|
|
# Workers redistribute it if it was locally generated.
|
|
if ( Cluster::local_node_type() == Cluster::MANAGER ||
|
|
item$first_dispatch )
|
|
{
|
|
item$first_dispatch=F;
|
|
event Intel::cluster_new_item(item);
|
|
}
|
|
}
|
|
|
|
# Handling of item insertion by remote node.
|
|
event Intel::cluster_new_item(item: Intel::Item) &priority=5
|
|
{
|
|
# Ignore locally generated events to avoid event storms.
|
|
if ( is_remote_event() )
|
|
Intel::insert(item);
|
|
}
|