[Bro] Best practice on how to customize an officially distributed script
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Mon Feb 2 08:51:34 PST 2015
...by the way, I should have said this in my previous email...
I do not think I can simply look at the DHCP info, seeing that some of the
hosts in my network MIGHT have statically defined ip addresses. The
known-hosts script looks at src and dest ip addrs to figure out who's out
On Mon, Feb 2, 2015 at 9:49 AM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:
> I haven't given that much thought about how I'm going to capture the mac
> addr right now. :o)
> My first concern was to understand what are the best practices to
> customize an existing stock script.
> For instance, I don't know if it is possible to overload / extend other
> script's functions? If so, I'm interested in that, seeing as I do not want
> to replace / customize ALL script functionality.
> Originally, I had thought about running an arp query of some sort (maybe
> calling out an external script, which I'm guessing should be possible?) to
> figure out what the mac is for each local ip addr. Is there a more elegant
> / scalable way to do it?
> Thank you,
> On Mon, Feb 2, 2015 at 8:53 AM, Seth Hall <seth at icir.org> wrote:
>> > On Feb 2, 2015, at 12:35 AM, Luis Miguel Silva <
>> luismiguelferreirasilva at gmail.com> wrote:
>> > I would like to change the known-hosts.bro script to log both the ip
>> and macaddr for all known hosts in my network.
>> Are you collecting mac addresses from the DHCP analyzer?
>> > What are the best practices for customizing scripts that ship with bro
>> (e.g. distributed in the /usr/share/bro/* directory)?
>> > Am I supposed to just:
>> > - copy the script I want to customize to my share/bro/site/
>> > - and change local.bro to load the script in share/bro/site/ instead of
>> That’s probably the best option. At the very least, if you’re loading
>> the one out of your site directory you won’t have to worry about
>> interfering with the one in the policy directory.
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro