[Bro-Dev] Broker data store use case and questions
dopheide at es.net
Thu May 10 13:53:32 PDT 2018
Maybe I'm jumping the gun a little bit, but I want to start wrapping my
head around the upcoming changes. Let's start by stating my use case... I
wanted to stop the repetitive reverse DNS queries caused by
ssh/interesting-hostnames.bro by rebuilding known-hosts.bro to include the
names, allowing a simple lookup*. I started re-writing the old one and
Justin pointed me towards the 'new' version of known-hosts in the
Looking at the new known-hosts.bro..
1) My initial gut feeling was that all of the when() calls for insertion
could get really expensive on a brand new cluster before the store is
2) Correct me if I'm wrong, but it seems like the check for a host already
being in known_hosts (now host_store) no longer exists. As a result, we
try to re-insert the host, calling when(), every time we see an established
connection with a local host.
Which leads me to...
3) How do I retrieve values from the store to test for existence?
4) Assuming that requires another Broker call inside a when(), does it make
sense to pull the data store into memory at bro_init() and do
* - Yes, on the edges this breaks DNS TTLs, but saves thousands of when()
calls to lookup_addr() and our names don't change very frequently.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bro-dev