[Bro] Best practice on how to customize an officially distributed script
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Mon Feb 2 08:49:45 PST 2015
I haven't given that much thought about how I'm going to capture the mac
addr right now. :o)
My first concern was to understand what are the best practices to customize
an existing stock script.
For instance, I don't know if it is possible to overload / extend other
script's functions? If so, I'm interested in that, seeing as I do not want
to replace / customize ALL script functionality.
Originally, I had thought about running an arp query of some sort (maybe
calling out an external script, which I'm guessing should be possible?) to
figure out what the mac is for each local ip addr. Is there a more elegant
/ scalable way to do it?
On Mon, Feb 2, 2015 at 8:53 AM, Seth Hall <seth at icir.org> wrote:
> > On Feb 2, 2015, at 12:35 AM, Luis Miguel Silva <
> luismiguelferreirasilva at gmail.com> wrote:
> > I would like to change the known-hosts.bro script to log both the ip and
> macaddr for all known hosts in my network.
> Are you collecting mac addresses from the DHCP analyzer?
> > What are the best practices for customizing scripts that ship with bro
> (e.g. distributed in the /usr/share/bro/* directory)?
> > Am I supposed to just:
> > - copy the script I want to customize to my share/bro/site/
> > - and change local.bro to load the script in share/bro/site/ instead of
> That’s probably the best option. At the very least, if you’re loading the
> one out of your site directory you won’t have to worry about interfering
> with the one in the policy directory.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro