I am also skeptical that it can be used as a complete framework, that's why I'm inquiring about the Python-Broccoli interface, because it would be a proof of concept for showing how Bro hooks into a larger, arbitrary framework.<br>
<br>--Martin<br><br><div class="gmail_quote">On Tue, Nov 4, 2008 at 9:13 AM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I agree, starting to play with bro and am duly impressed.<br>
<br>
Still not convinced we can do all we want to using it as a framework,<br>
but keeping an open mind...<br>
<br>
Matt<br>
<div class="Ih2E3d"><br>
Martin Holste wrote:<br>
> Thanks, Seth. Any idea how this would go using the Python-Broccoli<br>
> interface? The idea being that there would be a database somewhere with<br>
> the ever-changing list of hosts, and at some regular interval, the data<br>
> would be dumped from the DB via Python-Broccoli to a running Bro instance.<br>
><br>
> --Martin<br>
><br>
> On Tue, Nov 4, 2008 at 7:36 AM, David J. Bianco <<a href="mailto:david@vorant.com">david@vorant.com</a><br>
</div><div><div></div><div class="Wj3C7c">> <mailto:<a href="mailto:david@vorant.com">david@vorant.com</a>>> wrote:<br>
><br>
> Wow, I had no idea this was possible. Clearly, I still have much to<br>
> learn<br>
> about Bro. I dig it, though, and will definitely be relying on it<br>
> as part<br>
> of my suite of detection tools in the near future.<br>
><br>
> David<br>
><br>
> Seth Hall wrote:<br>
> > On Nov 3, 2008, at 8:14 PM, Martin Holste wrote:<br>
> ><br>
> >> David had a fine post again today<br>
> <<a href="http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html" target="_blank">http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html</a><br>
> >>> showing how to make a Bro script from scratch which identified non-<br>
> >> whitelisted traffic. Could one of the Bro experts show how to take<br>
> >> that and make it able to be dynamically updated at run-time?<br>
> ><br>
> ><br>
> > It's update-able through the Bro communications protocol. If you are<br>
> > using the cluster shell, there is an update command that does this for<br>
> > you. You just need to make the changes to your global/const variables<br>
> > in your policy scripts and then do the following procedure...<br>
> ><br>
> > # cluster<return><br>
> ><br>
> > > check<br>
> > (check for all to be ok)<br>
> > > install<br>
> > > update<br>
> ><br>
> > That *should* then put any updates to global/const variables in<br>
> > place. It's certainly possible to write other scripts that would do<br>
> > the same procedure without as well since ultimately all the shell does<br>
> > to cause the update process is throw an event through the<br>
> > communications protocol.<br>
> ><br>
> > .Seth<br>
> ><br>
> > ---<br>
> > Seth Hall<br>
> > Network Security - Office of the CIO<br>
> > The Ohio State University<br>
> > Phone: 614-292-9721<br>
> ><br>
> > _______________________________________________<br>
> > Discussion mailing list<br>
> > <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
</div></div>> <mailto:<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a>><br>
<div class="Ih2E3d">> > <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
><br>
><br>
</div>> ------------------------------------------------------------------------<br>
<div class="Ih2E3d">><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
<br>
</div>--<br>
--------------------------------------------<br>
Matthew Jonkman<br>
Emerging Threats<br>
Phone 765-429-0398<br>
Fax 312-264-0205<br>
<a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
--------------------------------------------<br>
<br>
PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
<br>
<br>
</blockquote></div><br>