[Bro] piped_exec

Fahime Alizade alizade.ce at gmail.com
Wed Jan 23 05:08:12 PST 2013


I have a question about notices in Bro.
We installed Bro cluster and we made signature file to detect sources that
their generated traffic matches the signature. Then we expect our
notice.log file (/bro/logs/current/notice.log) be filled all the
information about that sources. To do so, we created a bro file(located in /
bro) to redefine the notice. Now the only thing it does is printing the
information in our desired format in notice.log file.

Till now every thing goes well but we need to execute a shell script file
when ever the signature matches. So we thought maybe there is a way to
execute the script file in notice redefinition file. I used function
piped_exec. The problem is when I run the following command,
/usr/local/bro/bin/ ./bro -r pcapFile.pcap broFile.bro

 every thing goes well with worker. The script will be run but in manager
side it does not execute the shell script file.

Do you think I should use different command for manager?
I've uploaded the files on github:

Best regards,
Fahimeh Alizadeh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130123/afacb6a8/attachment.html 

More information about the Bro mailing list