[Bro-Dev] Script reorg proposal

Scott Campbell scampbell at lbl.gov
Mon Aug 1 11:27:27 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think that this is an excellent idea since it addresses the new user
(!RTFM)/first impression problem.
cheers,
scott

On 8/1/11 11:49 AM, Robin Sommer wrote:
> Seems we are still not quite happy with the layout of the new
> scripts. The current directory structure can be a bit confusing to
> follow, and also for users, to find out what to load.
> 
> Seth and I were kicking around another idea last week. It's somewhat 
> radical compared to "Bro tradition" but I think it makes sense.
> 
> The proposal is to move more scripts into the the set loaded by 
> default. While currently, Bro essentially does nothing when no
> further scripts are specified, we would change things so that by
> default, Bro now loads all the basic scripts that do just logging and
> state building (but not more extensive/expensive kinds of analysis
> or detection).
> 
> So when users just run Bro on a link/trace, they'll immediately get
> a bunch of high-value log files, without needing to figure out
> anything else (and some may just want to stop right there in terms of
> what to learn about Bro, which is fine).
> 
> In addition, however, as there clearly is value in running Bro with
> a minimal bare-bones config (for fine-tuned trace analysis, research,
> or debugging), we'd also provide an option (i.e., redefable script 
> variable and/or environemnt variable), that brings back the old 
> behaviour of loading just bro.init. With that, one could still 
> cherry-pick what to load.
> 
> With this scheme, we'd organize the script installation like this, 
> assuming --prefix=/usr:
> 
> /usr/share/bro/base/
> 
> - All the scripts that are loaded by default (large parts of the
> current protocols and frameworks directories). Most users wouldn't
> need to know much about these scripts (but they'll be documented and
> can be extended).
> 
> /usr/share/bro/policy/
> 
> - All the scripts that the user can load in addition. I.e., much like
> the 1.5 policy/ directory, but with less stuff in it.
> 
> /usr/share/bro/site/
> 
> - Local site-policies. Depending on file system standards, this may
> go somehwere else as well.
> 
> /usr/share/bro/contrib/
> 
> - At some point, we'll add the set of contributed scripts here. Will
> be externally managed in some way we haven't figured out yet.
> 
> 
> BROAPTH would include all these four directories.
> 
> 
> What do you guys think?
> 
> Robin
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFONvAPK2Plq8B7ZBwRAivvAKCnmP+WpKdsq9WUP4zLY3qVX2Di2QCfX5uM
cOGBe6/zV0409ZuTNmL+uhI=
=EgID
-----END PGP SIGNATURE-----


More information about the bro-dev mailing list