[Oisf-devel] RFC: Broccoli output plugin for Suricata (WIP)

Victor Julien victor at inliniac.net
Thu May 9 09:14:53 UTC 2013


Hi Tom,

On 05/08/2013 06:46 PM, Tom DeCanio wrote:
> This work has been funded by nPulse Technologies.  This is an output
> plugin for Suricata that optionally sends alert information to Bro
> using Broccoli.

Many thanks to you and nPulse :)

> A similar capability already exists in Barnyard2 that forwards alerts
> to Bro by ingesting unified2 alert logs.  This operates by sending
> Broccoli data to Bro directly from Suricata.  The Broccoli event
> format generated by this output plugin is aligned fairly close to that
> generated by Barnyard2.
> 
> A simple Bro script example has been provided in the contrib directory
> that ingests suricata alert events and writes a log file similar to
> the fast.log file format.  This is intended to be an example of how
> one might consume suricata alerts from within Bro.
> 
> The code can be found here:
> https://github.com/decanio/suricata-np/tree/dev-broccoli/contrib/bro
> 
> Please review.  All comments are welcome.

As this appears to be a client server connection, do we actually need to
hold a lock on the communication? The event is created locally I think,
so maybe only the bro_event_send should be protected? Or maybe not even
that if it's inner workings are atomic.

Couple of style notes:

- indent looks off in a quite a few places
- function names in suri all are LikeThis(), so not like
bro_util_fill_v6_addr()
- I think most if not all commits can be squashed together


The unittests doesn't seem to be testing any of the bro code. Not sure
how easy it will be to do so. Maybe at least the BroEvent creation can
be tested.

A final question is about speed. We're working on a (local)client-server
connection, in the packet pipeline (this is actually a design issue in
suri, see #352). So will this mechanism be able to keep up with a high
number of alerts per sec?

Cheers,
Victor

#352: https://redmine.openinfosecfoundation.org/issues/352

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list