[Bro-Dev] Script reorg proposal

Robin Sommer robin at icir.org
Mon Aug 1 09:49:19 PDT 2011


Seems we are still not quite happy with the layout of the new scripts.
The current directory structure can be a bit confusing to follow, and
also for users, to find out what to load.

Seth and I were kicking around another idea last week. It's somewhat
radical compared to "Bro tradition" but I think it makes sense.

The proposal is to move more scripts into the the set loaded by
default. While currently, Bro essentially does nothing when no further
scripts are specified, we would change things so that by default, Bro
now loads all the basic scripts that do just logging and state
building (but not more extensive/expensive kinds of analysis or
detection).

So when users just run Bro on a link/trace, they'll immediately get a
bunch of high-value log files, without needing to figure out anything
else (and some may just want to stop right there in terms of what to
learn about Bro, which is fine).

In addition, however, as there clearly is value in running Bro with a
minimal bare-bones config (for fine-tuned trace analysis, research, or
debugging), we'd also provide an option (i.e., redefable script
variable and/or environemnt variable), that brings back the old
behaviour of loading just bro.init. With that, one could still
cherry-pick what to load.

With this scheme, we'd organize the script installation like this,
assuming --prefix=/usr:

    /usr/share/bro/base/

        - All the scripts that are loaded by default (large parts of
        the current protocols and frameworks directories). Most users
        wouldn't need to know much about these scripts (but they'll be
        documented and can be extended).

    /usr/share/bro/policy/

        - All the scripts that the user can load in addition. I.e.,
        much like the 1.5 policy/ directory, but with less stuff in it.

    /usr/share/bro/site/

        - Local site-policies. Depending on file system standards,
        this may go somehwere else as well.

    /usr/share/bro/contrib/

        - At some point, we'll add the set of contributed scripts
        here. Will be externally managed in some way we haven't
        figured out yet.


BROAPTH would include all these four directories.


What do you guys think?

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list