[Bro] SQL usage in Bro
JAzoff at uamail.albany.edu
Thu Feb 11 14:02:38 PST 2010
On Thu, Feb 11, 2010 at 04:41:03PM -0500, Seth Hall wrote:
> global bad_urls: set[string] &query="SELECT url FROM bad_urls"
Interesting.. I was thinking about doing something like this just using broccoli..
start with a plain..
global bad_urls: set[string];
add new events similar to request_id...
event set_add(tbl: string, key: string);
event set_remove(tbl: string, key: string);
event table_add(tbl: string, key: string, val: string);
event table_remove(tbl: string, key: string);
then you would have code that uses broccoli that selects the rows from the DB and fires off events like
This way you could use any database, or even just a flatfile for storing bad
urls.. all the logic for getting the actual records would be implemented in
python(or C or Ruby...), the only changes to bro would be the new set and table
-- Justin Azoff
-- Network Security & Performance Analyst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: Digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100211/2a38151c/attachment.bin
More information about the Bro