[Discussion] David's Bro Script

• Previous message (by thread): [Discussion] David's Bro Script
• Next message (by thread): [Discussion] David's Bro Script
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks, Seth.  Any idea how this would go using the Python-Broccoli
interface?  The idea being that there would be a database somewhere with the
ever-changing list of hosts, and at some regular interval, the data would be
dumped from the DB via Python-Broccoli to a running Bro instance.

--Martin

On Tue, Nov 4, 2008 at 7:36 AM, David J. Bianco <david at vorant.com> wrote:

> Wow, I had no idea this was possible.  Clearly, I still have much to learn
> about Bro.  I dig it, though, and will definitely be relying on it as part
> of my suite of detection tools in the near future.
>
>        David
>
> Seth Hall wrote:
> > On Nov 3, 2008, at 8:14 PM, Martin Holste wrote:
> >
> >> David had a fine post again today <
> http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html
> >>> showing how to make a Bro script from scratch which identified non-
> >> whitelisted traffic.  Could one of the Bro experts show how to take
> >> that and make it able to be dynamically updated at run-time?
> >
> >
> > It's update-able through the Bro communications protocol.  If you are
> > using the cluster shell, there is an update command that does this for
> > you.  You just need to make the changes to your global/const variables
> > in your policy scripts and then do the following procedure...
> >
> > # cluster<return>
> >
> >    > check
> >    (check for all to be ok)
> >    > install
> >    > update
> >
> > That *should* then put any updates to global/const variables in
> > place.  It's certainly possible to write other scripts that would do
> > the same procedure without as well since ultimately all the shell does
> > to cause the update process is throw an event through the
> > communications protocol.
> >
> >    .Seth
> >
> > ---
> > Seth Hall
> > Network Security - Office of the CIO
> > The Ohio State University
> > Phone: 614-292-9721
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081104/32994fbb/attachment-0002.html>

• Previous message (by thread): [Discussion] David's Bro Script
• Next message (by thread): [Discussion] David's Bro Script
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]