[Bro] SQL usage in Bro

Jim Mellander jmellander at lbl.gov
Fri Feb 12 13:39:11 PST 2010

Seth Hall wrote:
> My thought would be that you could do something like...
>  > broctl db_update bad_urls
> That would throw an event named db_update to one or all of the hosts  
> (still haven't decided on this yet) which would be handled like this  
> (theoretically)...
> event db_update(var)
> 	{
> 	force_db_update(var);
> 	}
> The force_db_update function could be a built-in-function that would  
> lookup the variable named by the value of the string "var" and force  
> it do update from the database.

Ok, I presume the force_db_update() function is a yet-to-be-created function.
The same practical effect would seem to be accrued if there was a way to access
the timer, and force an immediate expiration, or if the syntax of the
declaration was changed, e.g. your example:

global bad_urls: set[string] &query="SELECT url FROM bad_urls"

perhaps could be augmented with an event, ala

global bad_urls: set[string] &query="SELECT url FROM bad_urls"
&query_interval=1hour &query_event=update_badurls;

which would then allow script-level access to the updating process.

Perhaps we can work together on this?

Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

Decreasing electron flux

More information about the Bro mailing list