[Bro] SQL usage in Bro

Jim Mellander jmellander at lbl.gov
Thu Feb 11 12:36:40 PST 2010

Hi Brolist & especially Seth:

I've created a Bro policy called 'stomper.bro' which matches http requests
against a blacklist (and acts appropriately, issuing temporary host-pair blocks
to prevent access to forbidden URLs), which is loaded when bro starts up - the
data structure is sufficiently crude that it loads ~ 700k urls in 5 seconds, but
is inefficient in usage, although I've thought about amortizing the conversion
of the simple structure into a more efficient one during the bro run (the first
time a hit is made to a particular domain, convert it to a more efficient
representation on the fly).

However, I've thought about databasizing this, either via a broccoli enabled
'oracle' program, fed URLs and returning bro events signifying actions to take,
or using the database extensions Seth has added to the bro code to access a
persistent database instead.

Does anyone have any information on performance metrics of the postgresql
bindings for bro, both with the sql server on localhost, and being on a remote
box (might be accessed by multiple bros)?  I would be interested particularly in
the rate of requests that can be handled and answered, and the latency
(obviously, doing realtime blocking of forbidden domains requires
near-instantaneous response).

Thanks in advance

Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

We're on Token Ring, and it looks like the token got loose.

More information about the Bro mailing list