[Discussion] David's Bro Script

• Previous message (by thread): [Discussion] David's Bro Script
• Next message (by thread): [Discussion] Features suggestion
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2008-11-04 at 08:42 -0600, Martin Holste wrote:
> Thanks, Seth.  Any idea how this would go using the Python-Broccoli
> interface?  The idea being that there would be a database somewhere
> with the ever-changing list of hosts, and at some regular interval,
> the data would be dumped from the DB via Python-Broccoli to a running
> Bro instance.

Hi Martin -- Without going too much into the details (which are better
discussed on the Bro list), the idea would basically be to define event
types that would signal addition/removal to/from the main table(s)
driving Bro's operation. The Bro instance would request those event
types and upon their arrival add/drop the specified hosts to/from the
table. In David's code (which is about connections, not hosts), this
might look as follows:

event add_conn(c: connection) {
	detected_restricted_connections[c$id$orig_h, c$id$resp_h,
					c$id$resp_p] = network_time();
}

event drop_conn(c: connection) {
	if ([c$id$orig_h, c$id$resp_h, c$id$resp_p] in detected_restricted_connections)
		delete detected_restricted_connections[c$id$orig_h, c$id$resp_h,
						       c$id$resp_p]);
}

How to send such events in Python is described on the pybroccoli
page[1]; more detail on Broccoli's event API can be found in the
Broccoli manual[2]. I/O specifics such as update granularity & frequency
would have to be determined by the developer.

[1] http://www.icir.org/robin/bro/pybroccoli.html
[2] http://www.icir.org/christian/broccoli/manual/

-- 
Cheers,
Christian

• Previous message (by thread): [Discussion] David's Bro Script
• Next message (by thread): [Discussion] Features suggestion
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]