[Discussion] David's Bro Script

• Previous message (by thread): [Discussion] David's Bro Script
• Next message (by thread): [Discussion] David's Bro Script
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 3, 2008, at 8:14 PM, Martin Holste wrote:

> David had a fine post again today <http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html 
> > showing how to make a Bro script from scratch which identified non- 
> whitelisted traffic.  Could one of the Bro experts show how to take  
> that and make it able to be dynamically updated at run-time?


It's update-able through the Bro communications protocol.  If you are  
using the cluster shell, there is an update command that does this for  
you.  You just need to make the changes to your global/const variables  
in your policy scripts and then do the following procedure...

# cluster<return>

   > check
   (check for all to be ok)
   > install
   > update

That *should* then put any updates to global/const variables in  
place.  It's certainly possible to write other scripts that would do  
the same procedure without as well since ultimately all the shell does  
to cause the update process is throw an event through the  
communications protocol.

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

• Previous message (by thread): [Discussion] David's Bro Script
• Next message (by thread): [Discussion] David's Bro Script
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]