[Bro-Dev] Hui Lin_External Communication with Bro
Hui Lin (Hugo)
hlin33 at illinois.edu
Fri Oct 21 09:28:36 PDT 2011
Hi,
I am currently writing a policy to use Bro process event from external
source, e.g. auth.log (under /var/log). I just want to catch some sudo
operations from system. The effect that I want is any runtime changes in
"auth.log" will be caught by Bro's event handler.
So I review 2009 workshop exercise related to this topic. I understand how
Broccoli and Bro-pipe works. But I just confusion on the run-time usage of
it. Use Bro-Pipe for example, it uses "bro-pipe" text file with specific
format as the input to Bro. Such as
ssh_fail_login double=1184518203 addr=85.14.95.10 addr=131.243.2.11
string=aggie string=password
ssh_fail_login double=1184529743 addr=81.68.198.23 addr=131.243.2.11
string=ailsa string=password
ssh_fail_login double=1184529745 addr=81.68.198.23 addr=131.243.2.11
string=aim string=password
So there should be a script to transform the original log file into this
"bro-pipe" text file. My question is that is that possible to dynamically
update this "bro-pipe" text file when the log file is updated during the
runtime? if possible, what script is used and how to do that?
Best,
Hui
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33 at illinois.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111021/28504d33/attachment.html
More information about the bro-dev
mailing list