[Bro] Developing my own writer driver

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Wed Jan 28 12:42:12 PST 2015


I realized my last question was off topic from the original topic so I'm
going to create a new thread for it.

Thank you!
Luis

On Wed, Jan 28, 2015 at 12:37 PM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:

> Cool! And since you talked about multiple remote sensors, let me ask
> another question that I'm really curious about...
>
> Lets imagine that I have a low end machine capturing traffic and want to
> send the prefiltered events into a more beefy remote machine for analysis
> and event capturing. Can I do that?
>
> Based on bro's Input framework, I believe I can redirect an entire tcpdump
> into it BUT, I want *some* filtering to happen upfront, though the MAIN
> processing work should be executed somewhere else.
>
> From what I understood (based on this architectural description
> <https://www.bro.org/sphinx/cluster/index.html>), my low end computer in
> charge of the sniffing would run the "manager" code and my beefy machine(s)
> would run the workers. Is that how I would set things up?
> And who writes the outputs, is it the workers OR do the workers pass the
> result back to the manager?
>
> Thank you,
> Luis
>
> On Wed, Jan 28, 2015 at 12:22 PM, John Green <john at giggled.org> wrote:
>
>> On 28 January 2015 at 19:01, Luis Miguel Silva
>> <luismiguelferreirasilva at gmail.com> wrote:
>> > Out of curisotiy, why didn't you create a custom writer instead?
>> > ...simplicity?
>>
>> At the time simplicity and I had multiple remote sensors with
>> restricted network connectivity.  I would rsync, or physically
>> transfer, the completed logs back to a central postgres server for
>> import and analysis.  Real time alerting wasn't that important.
>>
>> Getting the data into Postgres did facilitate the writing of some
>> useful SQL queries to spot odd/malicious behaviour.  If I was doing it
>> again I probably investigate using Postgres Foreign Data Wrappers
>> instead.
>>
>> John
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/107db2b2/attachment.html 


More information about the Bro mailing list