[Bro-Dev] osquery integration
Siwek, Jon
jsiwek at illinois.edu
Wed Feb 4 09:48:06 PST 2015
> On Feb 4, 2015, at 11:02 AM, Robin Sommer <robin at icir.org> wrote:
> It could also be part of the osquery side initially, and we'd move it
> over later if demand turns out to be there.
That’s more what I was thinking. Either way doesn’t seem like a huge deal to me: don’t expect the code involved to be that tricky.
>> A third idea: it seems like here it would be doing a JSON ->
>> Broker-data -> Bro-value conversion, instead can Broker
>> messages/events just be specified in terms of a JSON string parameter,
>> then leave JSON -> Bro-value conversion up to Bro?
>
> Yeah, JSON input is on Seth's Bro wishlist. :) But I don't like this
> model here because it feels like it's using Broker just a transport
> mechanism for raw data. I think the better general approach is to fit
> external data into Broker's data model, because then any Broker node
> can work with the data, not just those that happen to know how to
> interpret the blob coming in.
Yeah, if there’s many disparate applications acting as nodes here, then may be better to use Broker’s data as common format to ensure everyone has the tools necessary to interpret the messages.
- Jon
More information about the bro-dev
mailing list