[Bro] Best practice on how to customize an officially distributed script

Seth Hall seth at icir.org
Mon Feb 2 07:53:22 PST 2015


> On Feb 2, 2015, at 12:35 AM, Luis Miguel Silva <luismiguelferreirasilva at gmail.com> wrote:
> 
> I would like to change the known-hosts.bro script to log both the ip and macaddr for all known hosts in my network.

Are you collecting mac addresses from the DHCP analyzer?

> What are the best practices for customizing scripts that ship with bro (e.g. distributed in the /usr/share/bro/* directory)?
> Am I supposed to just:
> - copy the script I want to customize to my share/bro/site/
> - and change local.bro to load the script in share/bro/site/ instead of share/bro/policy/protocols/conn/known-hosts.bro?

That’s probably the best option.  At the very least, if you’re loading the one out of your site directory you won’t have to worry about interfering with the one in the policy directory.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list