Bro log into MySQL

manu manux at rstack.org
Fri Nov 14 08:58:16 PST 2003


You can find a patch for the bro "CURRENT" release which enables you to 
log in a MySQL database at http://manux.rstack.org/bro_mysql.

It requires the library MySQL++.
It uses a new bro bif called log_external which logs alerts according to 
a method passed as an argument.

With this patch the only supported method is ALERT_LOG_EXTERNAL_SQL 
which logs in a MySQL database.

A basic bro script that uses this method is given as an example 
(policy/test.bro).

For instance:
[paul at duncan bro-pub-0.8a48.dev-mysql]$ ./bro -r 
example-attacks/ftp-site-exec.trace test
976284129.459304 0.91239 other-3914 431 0 38.33.11.127 131.243.169.116 SF X
976284140.775142 0.567636 other-3915 304 0 38.33.11.127 131.243.169.116 SF X
...

mysql> select * from conn_bro;
+-----+------------------+----------+-----------------+-----------------+-----------+-----------+--------------+-----------+-----------+-----------+-------+------+------+
| cid | start_time       | duration | orig_addr       | resp_addr       
| orig_port | resp_port | addl         | conn_type | orig_size | 
resp_size | state | type | code |
+-----+------------------+----------+-----------------+-----------------+-----------+-----------+--------------+-----------+-----------+-----------+-------+------+------+
|   1 | 976284129.459304 |        1 | 38.33.11.127    | 131.243.169.116 
| 20/tcp    | 3914/tcp  | Hello world! |         0 |       431 |         
0 | SF    | 0 |    0 |
|   2 | 976284140.775142 |        1 | 38.33.11.127    | 131.243.169.116 
| 20/tcp    | 3915/tcp  | Hello world! |         0 |       304 |         
0 | SF    |
...

Other methods should come out : RRD and SPOs(Snort Plugin Output); If 
anyone has already done that, I would like to share from you.

Feed back would be appreciated.

Manu


"Anton Chuvakin, Ph.D." wrote:
 >
 > >I am wondering whether anyone has tried direct bro log into mysql 
table or not.
 > Well, what do you mean by "log"? All contents of all files or alert.log
 > contents only?
 >
 > I was thinking of doing the same thing for MySQL logging, but there seems
 > to be little value in that: the logs are pretty much free form text 
and no
 > sensible schema can be designed. RDBMS will be just as good as a plain
 > text file...
 >
 > >Otherwise I will create simple perl/DBI interface by myself.
 > Do share the code, if/when its created.
 >
 > --
 > Anton Chuvakin, Ph.D., GCIA, GCIH
 > Senior Security Analyst
 > Product Management Group
 > netForensics -  http://www.netForensics.com
 > 732-393-6071





More information about the Bro mailing list