[Bro-Dev] input-framework file locations

Seth Hall seth at corelight.com
Mon Aug 28 18:48:42 PDT 2017

On 25 Aug 2017, at 16:56, Aashish Sharma wrote:

>  global smtp_indicator_feed= fmt
> ("%s/feeds/smtp_malicious_indicators.out", at DIR) &redef ;
> Problem is: @DIR gives the path of the directory where script is 
> residing.
> So when I do broctl install - all the scripts go into :
> ../spool/installed-scripts-do-not-touch/

Huh, that's definitely a problem that I can see limiting people.  What 
you might want to do is reference a particular directory and having 
instructions for people that they need to make it writable by the user 
running the Bro process (and the directory could be redef-able).

Alternately, it looks like you're only using that to persist state 
across executions.  Is that right?  If you're doing that, then you could 
possibly get away with storing in $TMP.

Once Broker is in Bro, you can use Broker data stores to store and 
retrieve your data.


Seth Hall * Corelight, Inc * www.corelight.com

More information about the bro-dev mailing list