[Discussion] David's Bro Script
Martin Holste
mcholste at gmail.com
Tue Nov 4 20:19:34 UTC 2008
I am also skeptical that it can be used as a complete framework, that's why
I'm inquiring about the Python-Broccoli interface, because it would be a
proof of concept for showing how Bro hooks into a larger, arbitrary
framework.
--Martin
On Tue, Nov 4, 2008 at 9:13 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> I agree, starting to play with bro and am duly impressed.
>
> Still not convinced we can do all we want to using it as a framework,
> but keeping an open mind...
>
> Matt
>
> Martin Holste wrote:
> > Thanks, Seth. Any idea how this would go using the Python-Broccoli
> > interface? The idea being that there would be a database somewhere with
> > the ever-changing list of hosts, and at some regular interval, the data
> > would be dumped from the DB via Python-Broccoli to a running Bro
> instance.
> >
> > --Martin
> >
> > On Tue, Nov 4, 2008 at 7:36 AM, David J. Bianco <david at vorant.com
> > <mailto:david at vorant.com>> wrote:
> >
> > Wow, I had no idea this was possible. Clearly, I still have much to
> > learn
> > about Bro. I dig it, though, and will definitely be relying on it
> > as part
> > of my suite of detection tools in the near future.
> >
> > David
> >
> > Seth Hall wrote:
> > > On Nov 3, 2008, at 8:14 PM, Martin Holste wrote:
> > >
> > >> David had a fine post again today
> > <
> http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html
> > >>> showing how to make a Bro script from scratch which identified
> non-
> > >> whitelisted traffic. Could one of the Bro experts show how to
> take
> > >> that and make it able to be dynamically updated at run-time?
> > >
> > >
> > > It's update-able through the Bro communications protocol. If you
> are
> > > using the cluster shell, there is an update command that does this
> for
> > > you. You just need to make the changes to your global/const
> variables
> > > in your policy scripts and then do the following procedure...
> > >
> > > # cluster<return>
> > >
> > > > check
> > > (check for all to be ok)
> > > > install
> > > > update
> > >
> > > That *should* then put any updates to global/const variables in
> > > place. It's certainly possible to write other scripts that would
> do
> > > the same procedure without as well since ultimately all the shell
> does
> > > to cause the update process is throw an event through the
> > > communications protocol.
> > >
> > > .Seth
> > >
> > > ---
> > > Seth Hall
> > > Network Security - Office of the CIO
> > > The Ohio State University
> > > Phone: 614-292-9721
> > >
> > > _______________________________________________
> > > Discussion mailing list
> > > Discussion at openinfosecfoundation.org
> > <mailto:Discussion at openinfosecfoundation.org>
> > > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081104/ea2599fe/attachment-0002.html>
More information about the Discussion
mailing list