[Bro] BroCtl plugin - Hooking into install command (UNCLASSIFIED)

Knick, Scott E CTR (US) scott.e.knick.ctr at mail.mil
Tue Apr 26 00:27:24 PDT 2016


I've developed a custom BroCtl plugin which attempts to hook into the install command before it executes (i.e., I'm overriding cmd_install_pre()) so that a configuration defined elsewhere in /usr/local/etc can be read and the various Bro configuration files (e.g., node.cfg, networks.cfg, etc.) can be adjusted as a result. This basically works, but I have noticed that it seems like I have to run broctl install *twice* in order to make BroCtl and/or Bro realize the new configuration. Otherwise, Bro crashes and BroCtl tells me to look at the diagnostics using the diag command when I do a broctl start. The actual error messages vary but they all seem to suggest that something in Bro isn't reading in my new configuration as defined in the various Bro configuration files. I have verified that those files are actually updated to what I want prior to running broctl start.

Any ideas what might be going on? Am I missing something?

Scott Knick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5633 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160426/854b1fc4/attachment-0001.bin 

More information about the Bro mailing list