[Bro-Dev] osquery integration
Siwek, Jon
jsiwek at illinois.edu
Wed Feb 4 08:37:31 PST 2015
> + - On the osquery side, we need to assemble the event for sending
> + to Broker. Generally, the columns returned by the ``SELECT``
> + will turn into the event's arguments. In addition, we add an
> + always-present ``h: Host`` argument. The event arguments' types
> + need to be mapped from what osquery returns to Broker types
> + (which, in turn, correspond to Bro types); see next bullet.
> +
> + - It seems there are two possible ways of doing the type conversion:
> +
> + 1. Hardcoding: The osqery plugin retrieves the query response,
> + iterates through its columns and builds up a Broker event
> + to then send out.
> +
> + .. note::
> +
> + I'm not quite sure what interface(s) osquery provides
> + for extracting results. On the web page, I see JSON; not
> + sure if there's something more direct.
> +
> + 2. Leveraging JSON: We can also extend Broker with a JSON
> + interface, so that the osqery plugin can forward a JSON
> + response directly. For this, we would:
> +
> + - Extend Broker's API with a function that builds an
> + event from JSON; with some predefined mapping of how
> + JSON values turn into Broker values.
> +
> + - Then call that function from the osquery plugin.
> +
> + Option (2) would actually be a nice interface for Broker to
> + have anyways, as it opens it up to ingesting input from a
> + variety of other JSON sources as well (we could write a an
> + ingestion daemon that opens up a socket to which web
> + applications can post JSON; but that's a different topic :).
I’m not sure what the difference between (1) and (2) is? Either one seems to do a JSON -> Broker-data conversion, the difference is just in whether that conversion code lives in the application that uses Broker or in the Broker library itself. I don’t think Broker itself is in any better position to actually do the conversion. Not opposed to putting such a example/template in Broker, just saying it may not be required to get the job done.
A third idea: it seems like here it would be doing a JSON -> Broker-data -> Bro-value conversion, instead can Broker messages/events just be specified in terms of a JSON string parameter, then leave JSON -> Bro-value conversion up to Bro? Teaching Bro a good way to interface directly w/ JSON might also be beneficial in other areas.
- Jon
More information about the bro-dev
mailing list