Hi all,

This is not really a question, more just to see if anybody had any strong opinions, or good suggestions about how to integrate yard into bro. I read something on this mailing list about integrating bro with yara, and hadn’t seen anything since so I’ve developed a yara analyser for bro.
https://github.com/hempnall/broyara <https://github.com/hempnall/broyara>. 

The code seems to work well for small pcaps - but I wondered about memory exhaustion using std::ostringstream to store files in larger deployments. I just wondered whether this was something that you might consider including in the bro source - i’d be happy to tidy it up if there was enough enthusiasm.

This only took me about three hours - (thanks to Bro’s extensibility and Yara’s excellent docs) 



