[Bro] SQL usage in Bro

Seth Hall hall.692 at osu.edu
Mon Feb 15 11:25:00 PST 2010

On Feb 12, 2010, at 4:39 PM, Jim Mellander wrote:

> perhaps could be augmented with an event, ala
> global bad_urls: set[string] &query="SELECT url FROM bad_urls"
> &query_interval=1hour &query_event=update_badurls;
> which would then allow script-level access to the updating process.

In your example, when would the event attached to the &query_event  
attribute be raised and what arguments would be passed into it?

> Perhaps we can work together on this?

That would be great.  It sounds like you're working on the sort of  
stuff I've been doing for a while where you're trying to take external  
intelligence and use it to it's full extent within Bro.  I'm working  
on an intelligence framework for integrating that sort of intelligence  
now, would you be interested in reframing our discussion more in that  
light since it appears what both of our goals are?


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list