[Bro-Dev] input-framework file locations
Aashish Sharma
asharma at lbl.gov
Fri Aug 25 13:56:13 PDT 2017
[ re-igniting an OLD thread ]
OK so @DIR sort of works.
I've used this as
global smtp_indicator_feed= fmt
("%s/feeds/smtp_malicious_indicators.out", at DIR) &redef ;
Problem is: @DIR gives the path of the directory where script is residing.
So when I do broctl install - all the scripts go into :
../spool/installed-scripts-do-not-touch/
so while file is referenced correctly and input-data is read just
fine. Humans or no other process can now append to the input file
anymore.
Does the problem make sense ?
I think I am looking for something which can point back to a 'static' path.
On Fri, Jul 8, 2016 at 5:41 PM, Robin Sommer <robin at icir.org> wrote:
>
>
> On Fri, Jul 08, 2016 at 16:59 -0700, you wrote:
>
>> Something similar to __load__.bro model
>
> @DIR gives you the path to the directory the current script is located
> in. Does that help?
>
> Robin
>
===
Original thread:
I have been thinking and trying different things but for now, it
appears that if we are to share policies around, there is no easy way
to be able to distribute input-files along with policy files.
Basically, right now I use
redef Scan::whitelist_ip_file = "/usr/local/bro/feeds/ip-whitelist.scan" ;
and then expect everyone to edit path as their setup demands it and
place accompanying sample file in the directory or create one for
themselves - this all introduces errors as well as slows down
deployment.
Is there a way I can use relative paths instead of absolute paths for
input-framework digestion. At present a new-heuristics dir can have
__load__.bro with all policies but input-framework won't read files
relative to that directory or where it is placed.
redef Scan::whitelist_ip_file = "../feeds/ip-whitelist.scan" ;
Something similar to __load__.bro model
Also, one question I have is should all input-files go to a 'standard'
feeds/input dir in bro or be scattered around along with their
accompanied bro policies (ie in individual directories )
Something to think about as with more and more reliance on
input-framework i think there is a need for 'standardization' on where
to put input-files and how to easily find and read them.
More information about the bro-dev
mailing list