[Bro-Dev] osquery integration

[Robin Sommer]

On Wed, Feb 04, 2015 at 16:37 +0000, you wrote:

> I’m not sure what the difference between (1) and (2) is?  Either one
> seems to do a JSON -> Broker-data conversion, the difference is just
> in whether that conversion code lives in the application that uses
> Broker or in the Broker library itself.

Correct if JSON is the only way to get data out of osquery. That's a
part I don't know, there might a more direct programmatic interface in
osqyery that doesn't go through JSON.

But let's say we need or want to go through JSON. Then indeed, the
question is where the code lives. Broker isn't in better spot to do
the conversion, but if it were in there, it could be reused by other
data sources than osquery; vs., if it's part of the osquery plugin,
nobody else would benefit from it.

It could also be part of the osquery side initially, and we'd move it
over later if demand turns out to be there.

> A third idea: it seems like here it would be doing a JSON ->
> Broker-data -> Bro-value conversion, instead can Broker
> messages/events just be specified in terms of a JSON string parameter,
> then leave JSON -> Bro-value conversion up to Bro?

Yeah, JSON input is on Seth's Bro wishlist. :) But I don't like this
model here because it feels like it's using Broker just a transport
mechanism for raw data. I think the better general approach is to fit
external data into Broker's data model, because then any Broker node
can work with the data, not just those that happen to know how to
interpret the blob coming in.

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin