[Bro-Dev] Hui Lin_External Communication with Bro

Hui Lin (Hugo) hlin33 at illinois.edu
Fri Oct 21 09:28:36 PDT 2011


I am currently writing a policy to use Bro process event from external
source, e.g. auth.log (under /var/log). I just want to catch some sudo
operations from system. The effect that I want is any runtime changes in
"auth.log" will be caught by Bro's event handler.

So I review 2009 workshop exercise related to this topic. I understand how
Broccoli and Bro-pipe works. But I just confusion on the run-time usage of
it. Use Bro-Pipe for example, it uses "bro-pipe" text file with specific
format as the input to Bro. Such as

ssh_fail_login double=1184518203 addr= addr=
string=aggie string=password
ssh_fail_login double=1184529743 addr= addr=
string=ailsa string=password
ssh_fail_login double=1184529745 addr= addr=
string=aim string=password

So there should be a script to transform the original log file into this
"bro-pipe" text file. My question is that is that possible to dynamically
update this "bro-pipe" text file when the log file is updated during the
runtime? if possible, what script is used and how to do that?



Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111021/28504d33/attachment.html 

More information about the bro-dev mailing list