[Bro-Dev] Log::set_buf Ineffective Before First Write

Logan Lembke logan at blackhillsinfosec.com
Tue Nov 28 12:40:28 PST 2017


Hello,
I am currently writing a Bro IDS logging plugin for logging to MongoDB. We
have implemented both buffered and unbuffered writes and rely on
WriterBackend::DoSetBuf to be called in order to switch between the
approaches.

Currently, we use a bro script which attaches our plugin to the Conn log
and calls Log::set_buf in order to configure the buffering behavior.
However, DoSetBuf never gets called on our plugin.

In Manager.cc, Manager::SetBuf loops over the list of writers registered
with a given stream and calls the SetBuf method on each of the
WriterFrontends. Unfortunately, this list of registered writers is empty
before the first write, as writers are initialized as they are needed in
the Manager::Write method.

Effectively, this prevents configuring buffering behavior before the first
write occurs. I'm new to the Bro code base, but I believe a fix could be
made by storing the buffering behavior on the stream and checking this
behavior on writer initialization.

Here is the bro script I am currently using,

The source code for the plugin is at
https://github.com/ocmdev/bro-mongodb/tree/optionalBuffer.

Does this look like a valid problem?

Logan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20171128/80cb3c66/attachment.html 


More information about the bro-dev mailing list