[Bro-Dev] Broker data store use case and questions

Michael Dopheide dopheide at es.net
Thu May 10 13:53:32 PDT 2018

Maybe I'm jumping the gun a little bit, but I want to start wrapping my
head around the upcoming changes.  Let's start by stating my use case...  I
wanted to stop the repetitive reverse DNS queries caused by
ssh/interesting-hostnames.bro by rebuilding known-hosts.bro to include the
names, allowing a simple lookup*.  I started re-writing the old one and
Justin pointed me towards the 'new' version of known-hosts in the
topic/actor-system branch.

Looking at the new known-hosts.bro..

1) My initial gut feeling was that all of the when() calls for insertion
could get really expensive on a brand new cluster before the store is

2) Correct me if I'm wrong, but it seems like the check for a host already
being in known_hosts (now host_store) no longer exists.  As a result, we
try to re-insert the host, calling when(), every time we see an established
connection with a local host.

Which leads me to...

3) How do I retrieve values from the store to test for existence?

4) Assuming that requires another Broker call inside a when(), does it make
sense to pull the data store into memory at bro_init() and do
a Cluster::publish_hrw?


* - Yes, on the edges this breaks DNS TTLs, but saves thousands of when()
calls to lookup_addr() and our names don't change very frequently.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180510/448b3706/attachment.html 

More information about the bro-dev mailing list