[Bro] Bro communications
Christian Kreibich
christian at whoop.org
Thu Jun 23 17:16:08 PDT 2005
Hi Alex,
On Thu, 2005-06-23 at 19:02 +0200, Alexander Scholz wrote:
> Hello everyone,
>
> I am looking for possibilities to connect several Bro Systems like it
> is descibed in Broccoli API from Christian Kreibich. I did not find
> something in the Bro manual.
>
> Is there a possibility to send events encrypted from one Bro host to
> another by using policy scripts?
oh definitely! It's more like Broccoli is the special case, not Bro-Bro
communication. :)
It's all done using the same table that you use to configure just the
Bro end in Bro-Broccoli exchanges. Look at the definition of the
Destination record type in remote.bro. All of these fields can be set by
individual entries in the destinations table.
For example, this is the configuration of the responding host for
Broccoli's broping example:
redef Remote::destinations += {
["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $ssl=F]
};
The corresponding configuration for a Bro node sending out the pins
would be:
redef Remote::destinations += {
["broping"] = [$host = 127.0.0.1, $events = /pong/, $connect=T, $ssl=F]
};
Notice that the "pinger" subscribes to "pong" events, and the "ponger"
subscribes to "ping" events. Also, "connect" is true in one case but
false in the other -- that's how you configure who established the
connection. To enable SSL, set $ssl=T on both ends. The configuration of
SSL certificates remains unchanged from how it's described in the
Broccoli docs.
Hope this helps -- good luck!
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list